Create npm-publish.yml #636
Conversation
Single
|
Thanks for raising a pR. I need to understand the advantage of this addition. Currently, I prefer to check the PR thoroughly on my local and then publish it with 2FA. |
There was a problem hiding this comment.
@amitguptagwl IHMO using such a workflow offers certain advantages over a manual process, whatever the workflow trigger.
Here, the workflow starts when a GitHub release is created, but it could start when a tag is pushed or by letting a maintainer trigger it manually (with workflow_dispatch).
Automation ensures that the source code of a version of the npm package can be easily audited. The git tag linked to the version is always available in the repository, avoiding problems like #716.
The content of the npm package can be trusted using npm provenance.
This allows you to publicly and verifiably establish where and how your package was built, which increases supply chain security for people who consume your package.
| - uses: actions/checkout@v3 | ||
| - uses: actions/setup-node@v3 |
There was a problem hiding this comment.
suggestion: Use v4 for both actions (they were probably not released when the PR has been created 😄 )
This also applies to the other job in this workflow file.
| registry-url: https://registry.npmjs.org/ | ||
| - run: npm ci | ||
| - run: npm publish | ||
| env:single |
There was a problem hiding this comment.
nitpick: extra "single" expression
| env:single | |
| env: |
| publish-npm: | ||
| needs: build | ||
| runs-on: ubuntu-latest | ||
| steps: |
There was a problem hiding this comment.
suggestion: Add permissions to the GH_TOKEN to be able to use npm provenance
See https://docs.npmjs.com/generating-provenance-statements
| steps: | |
| permissions: | |
| contents: read | |
| id-token: write // Give permission to mint an ID-token for npm provenance | |
| steps: |
| node-version: 16 | ||
| registry-url: https://registry.npmjs.org/ | ||
| - run: npm ci | ||
| - run: npm publish |
There was a problem hiding this comment.
| - run: npm publish | |
| - run: npm publish --provenance |
|
Thanks @tbouffard . let me check this in detail. I'm holding any change in FXP for some period now until some bug is reported. |
Single
Purpose / Goal
Type
Please mention the type of PR
Note : Please ensure that you've read contribution guidelines before raising this PR. If your PR is in progress, please prepend
[WIP]in PR title. Your PR will be reviewed when[WIP]will be removed from the PR title.Bookmark this repository for further updates.