diff --git a/.yarn/versions/5f0ffe17.yml b/.yarn/versions/5f0ffe17.yml new file mode 100644 index 000000000000..2fe7e0747e29 --- /dev/null +++ b/.yarn/versions/5f0ffe17.yml @@ -0,0 +1,36 @@ +releases: + "@yarnpkg/cli": patch + "@yarnpkg/core": patch + "@yarnpkg/plugin-npm": minor + "@yarnpkg/plugin-npm-cli": minor + +declined: + - "@yarnpkg/plugin-catalog" + - "@yarnpkg/plugin-compat" + - "@yarnpkg/plugin-constraints" + - "@yarnpkg/plugin-dlx" + - "@yarnpkg/plugin-essentials" + - "@yarnpkg/plugin-exec" + - "@yarnpkg/plugin-file" + - "@yarnpkg/plugin-git" + - "@yarnpkg/plugin-github" + - "@yarnpkg/plugin-http" + - "@yarnpkg/plugin-init" + - "@yarnpkg/plugin-interactive-tools" + - "@yarnpkg/plugin-jsr" + - "@yarnpkg/plugin-link" + - "@yarnpkg/plugin-nm" + - "@yarnpkg/plugin-pack" + - "@yarnpkg/plugin-patch" + - "@yarnpkg/plugin-pnp" + - "@yarnpkg/plugin-pnpm" + - "@yarnpkg/plugin-stage" + - "@yarnpkg/plugin-typescript" + - "@yarnpkg/plugin-version" + - "@yarnpkg/plugin-workspace-tools" + - "@yarnpkg/builder" + - "@yarnpkg/doctor" + - "@yarnpkg/extensions" + - "@yarnpkg/nm" + - "@yarnpkg/pnpify" + - "@yarnpkg/sdks" diff --git a/packages/plugin-npm-cli/sources/commands/npm/publish.ts b/packages/plugin-npm-cli/sources/commands/npm/publish.ts index 04bc719d1dc4..d84fef0d2f5f 100644 --- a/packages/plugin-npm-cli/sources/commands/npm/publish.ts +++ b/packages/plugin-npm-cli/sources/commands/npm/publish.ts @@ -44,7 +44,21 @@ export default class NpmPublishCommand extends BaseCommand { }); provenance = Option.Boolean(`--provenance`, false, { - description: `Generate provenance for the package. Only available in GitHub Actions and GitLab CI. Can be set globally through the \`npmPublishProvenance\` setting or the \`YARN_NPM_CONFIG_PROVENANCE\` environment variable, or per-package through the \`publishConfig.provenance\` field in package.json.`, + description: ` + Generate provenance for the package. Only available in GitHub Actions and GitLab CI. + + Can be set globally through the \`npmPublishProvenance\` setting or the \`YARN_NPM_CONFIG_PROVENANCE\` environment variable, or per-package through the \`publishConfig.provenance\` field in package.json. + + Defaults to \`true\` in trusted CI environments (GitHub Actions and GitLab CI) with properly setup credentials, unless explicitly disabled with \`--no-provenance\`. + `, + }); + + noProvenance = Option.Boolean(`--no-provenance`, false, { + description: ` + Do not generate provenance for the package. This overrides any other provenance settings. + + Set \`--no-provenance\` to enable OIDC without provenance (e.g. for private repositories). + `, }); dryRun = Option.Boolean(`-n,--dry-run`, false, { @@ -129,7 +143,10 @@ export default class NpmPublishCommand extends BaseCommand { let provenance = false; let provenanceMessage = ``; - if (workspace.manifest.publishConfig && `provenance` in workspace.manifest.publishConfig) { + if (this.noProvenance) { + provenance = false; + provenanceMessage = `Skipping provenance statement because \`--no-provenance\` flag is set.`; + } else if (workspace.manifest.publishConfig && `provenance` in workspace.manifest.publishConfig) { provenance = Boolean(workspace.manifest.publishConfig.provenance); provenanceMessage = provenance ? `Generating provenance statement because \`publishConfig.provenance\` field is set.` @@ -140,6 +157,9 @@ export default class NpmPublishCommand extends BaseCommand { } else if (configuration.get(`npmPublishProvenance`)) { provenance = true; provenanceMessage = `Generating provenance statement because \`npmPublishProvenance\` setting is set.`; + } else if (process.env.CI && (process.env.GITHUB_ACTIONS && process.env.ACTIONS_ID_TOKEN_REQUEST_URL || process.env.GITLAB_CI && process.env.SIGSTORE_ID_TOKEN)) { + provenance = true; + provenanceMessage = `Generating provenance statement because running in a trusted CI environment. Set \`npmPublishProvenance\` to false to disable provenance.`; } if (provenanceMessage) {