From 456bd64195714e38096dfa10a5752c7841339d32 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gautier=20Ben=20A=C3=AFm?= Date: Mon, 15 Dec 2025 17:17:12 +0100 Subject: [PATCH 1/4] feat(npm): automatically enable provenance when conditions are met --- packages/plugin-npm-cli/sources/commands/npm/publish.ts | 3 +++ 1 file changed, 3 insertions(+) diff --git a/packages/plugin-npm-cli/sources/commands/npm/publish.ts b/packages/plugin-npm-cli/sources/commands/npm/publish.ts index 04bc719d1dc4..6ece332946ec 100644 --- a/packages/plugin-npm-cli/sources/commands/npm/publish.ts +++ b/packages/plugin-npm-cli/sources/commands/npm/publish.ts @@ -140,6 +140,9 @@ export default class NpmPublishCommand extends BaseCommand { } else if (configuration.get(`npmPublishProvenance`)) { provenance = true; provenanceMessage = `Generating provenance statement because \`npmPublishProvenance\` setting is set.`; + } else if (process.env.CI && (process.env.GITHUB_ACTIONS && process.env.ACTIONS_ID_TOKEN_REQUEST_URL || process.env.GITLAB && process.env.SIGSTORE_ID_TOKEN)) { + provenance = true; + provenanceMessage = `Generating provenance statement because running in a trusted CI environment. Set \`npmPublishProvenance\` to false to disable provenance.`; } if (provenanceMessage) { From b8bed916a339cc1d97c6c5ca52fb08029ade54e7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gautier=20Ben=20A=C3=AFm?= Date: Mon, 15 Dec 2025 17:21:33 +0100 Subject: [PATCH 2/4] Create 5f0ffe17.yml --- .yarn/versions/5f0ffe17.yml | 36 ++++++++++++++++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 .yarn/versions/5f0ffe17.yml diff --git a/.yarn/versions/5f0ffe17.yml b/.yarn/versions/5f0ffe17.yml new file mode 100644 index 000000000000..2fe7e0747e29 --- /dev/null +++ b/.yarn/versions/5f0ffe17.yml @@ -0,0 +1,36 @@ +releases: + "@yarnpkg/cli": patch + "@yarnpkg/core": patch + "@yarnpkg/plugin-npm": minor + "@yarnpkg/plugin-npm-cli": minor + +declined: + - "@yarnpkg/plugin-catalog" + - "@yarnpkg/plugin-compat" + - "@yarnpkg/plugin-constraints" + - "@yarnpkg/plugin-dlx" + - "@yarnpkg/plugin-essentials" + - "@yarnpkg/plugin-exec" + - "@yarnpkg/plugin-file" + - "@yarnpkg/plugin-git" + - "@yarnpkg/plugin-github" + - "@yarnpkg/plugin-http" + - "@yarnpkg/plugin-init" + - "@yarnpkg/plugin-interactive-tools" + - "@yarnpkg/plugin-jsr" + - "@yarnpkg/plugin-link" + - "@yarnpkg/plugin-nm" + - "@yarnpkg/plugin-pack" + - "@yarnpkg/plugin-patch" + - "@yarnpkg/plugin-pnp" + - "@yarnpkg/plugin-pnpm" + - "@yarnpkg/plugin-stage" + - "@yarnpkg/plugin-typescript" + - "@yarnpkg/plugin-version" + - "@yarnpkg/plugin-workspace-tools" + - "@yarnpkg/builder" + - "@yarnpkg/doctor" + - "@yarnpkg/extensions" + - "@yarnpkg/nm" + - "@yarnpkg/pnpify" + - "@yarnpkg/sdks" From 2d8134cb9de499a3d9919dba5a2ed180706ef358 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gautier=20Ben=20A=C3=AFm?= Date: Mon, 15 Dec 2025 17:25:00 +0100 Subject: [PATCH 3/4] Update publish.ts --- packages/plugin-npm-cli/sources/commands/npm/publish.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/packages/plugin-npm-cli/sources/commands/npm/publish.ts b/packages/plugin-npm-cli/sources/commands/npm/publish.ts index 6ece332946ec..1a6e90e21a13 100644 --- a/packages/plugin-npm-cli/sources/commands/npm/publish.ts +++ b/packages/plugin-npm-cli/sources/commands/npm/publish.ts @@ -140,7 +140,7 @@ export default class NpmPublishCommand extends BaseCommand { } else if (configuration.get(`npmPublishProvenance`)) { provenance = true; provenanceMessage = `Generating provenance statement because \`npmPublishProvenance\` setting is set.`; - } else if (process.env.CI && (process.env.GITHUB_ACTIONS && process.env.ACTIONS_ID_TOKEN_REQUEST_URL || process.env.GITLAB && process.env.SIGSTORE_ID_TOKEN)) { + } else if (process.env.CI && (process.env.GITHUB_ACTIONS && process.env.ACTIONS_ID_TOKEN_REQUEST_URL || process.env.GITLAB_CI && process.env.SIGSTORE_ID_TOKEN)) { provenance = true; provenanceMessage = `Generating provenance statement because running in a trusted CI environment. Set \`npmPublishProvenance\` to false to disable provenance.`; } From c5bd68d7133985e55069d1056c37e9c0fff8a21f Mon Sep 17 00:00:00 2001 From: Gautier Ben Aim Date: Sat, 31 Jan 2026 11:31:33 +0100 Subject: [PATCH 4/4] --no-provenance --- .../sources/commands/npm/publish.ts | 21 +++++++++++++++++-- 1 file changed, 19 insertions(+), 2 deletions(-) diff --git a/packages/plugin-npm-cli/sources/commands/npm/publish.ts b/packages/plugin-npm-cli/sources/commands/npm/publish.ts index 1a6e90e21a13..d84fef0d2f5f 100644 --- a/packages/plugin-npm-cli/sources/commands/npm/publish.ts +++ b/packages/plugin-npm-cli/sources/commands/npm/publish.ts @@ -44,7 +44,21 @@ export default class NpmPublishCommand extends BaseCommand { }); provenance = Option.Boolean(`--provenance`, false, { - description: `Generate provenance for the package. Only available in GitHub Actions and GitLab CI. Can be set globally through the \`npmPublishProvenance\` setting or the \`YARN_NPM_CONFIG_PROVENANCE\` environment variable, or per-package through the \`publishConfig.provenance\` field in package.json.`, + description: ` + Generate provenance for the package. Only available in GitHub Actions and GitLab CI. + + Can be set globally through the \`npmPublishProvenance\` setting or the \`YARN_NPM_CONFIG_PROVENANCE\` environment variable, or per-package through the \`publishConfig.provenance\` field in package.json. + + Defaults to \`true\` in trusted CI environments (GitHub Actions and GitLab CI) with properly setup credentials, unless explicitly disabled with \`--no-provenance\`. + `, + }); + + noProvenance = Option.Boolean(`--no-provenance`, false, { + description: ` + Do not generate provenance for the package. This overrides any other provenance settings. + + Set \`--no-provenance\` to enable OIDC without provenance (e.g. for private repositories). + `, }); dryRun = Option.Boolean(`-n,--dry-run`, false, { @@ -129,7 +143,10 @@ export default class NpmPublishCommand extends BaseCommand { let provenance = false; let provenanceMessage = ``; - if (workspace.manifest.publishConfig && `provenance` in workspace.manifest.publishConfig) { + if (this.noProvenance) { + provenance = false; + provenanceMessage = `Skipping provenance statement because \`--no-provenance\` flag is set.`; + } else if (workspace.manifest.publishConfig && `provenance` in workspace.manifest.publishConfig) { provenance = Boolean(workspace.manifest.publishConfig.provenance); provenanceMessage = provenance ? `Generating provenance statement because \`publishConfig.provenance\` field is set.`