Enable Build Provenance for Nightly Builds

Maybe. This is pretty difficult (impossible?) to test outside of the CI environment itself. Ostensibly, this is all we should need for github actions, though. cc @DanielRosenwasser who wanted to know what it'd take to enable this. For nightlies, at least, it's in theory not bad. For actual releases, it's likely a bit more complex, given our publishing and releasing pipeline.
2026-06-21 07:26:21 -05:00 · 2024-06-25 08:34:40 -07:00
parent fa4f2e5148
commit 8d98be46b9
1 changed files with 2 additions and 1 deletions
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -8,6 +8,7 @@ on:

 permissions:
  contents: read
+  id-token: write

 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -60,6 +61,6 @@ jobs:
          npx hereby configure-nightly
          npx hereby LKG
          node ./scripts/addPackageJsonGitHead.mjs package.json
-          npm publish --tag next
+          npm publish --provenance --access public --tag next
        env:
          NODE_AUTH_TOKEN: ${{secrets.npm_token}}