Skip to content

feat: enable npm provenance on published packages#482

Closed
BethGriggs wants to merge 1 commit into
backstage:mainfrom
BethGriggs:enable-provenance
Closed

feat: enable npm provenance on published packages#482
BethGriggs wants to merge 1 commit into
backstage:mainfrom
BethGriggs:enable-provenance

Conversation

@BethGriggs
Copy link
Copy Markdown
Contributor

@BethGriggs BethGriggs commented May 20, 2024

Hey, I just made a Pull Request!

Opened this to attempt to enable provenance so that we can get references back to the commit and GitHub actions flow that published the package.

I am unsure if this will just work as we're publishing via yarn workspaces foreach <command>.

Note: At this time, yarn is not a supported tool for publishing your packages with provenance.

I'll try and test locally and confirm.

✔️ Checklist

  • A changeset describing the change and affected packages. (more info)
  • Tests for new functionality and regression tests for bug fixes
  • Screenshots attached (for UI changes)
  • All your commits have a Signed-off-by line in the message. (more info)

@BethGriggs
feat: enable npm provenance on published packages
e624064 
Signed-off-by: Beth Griggs <bethanyngriggs@gmail.com>
@BethGriggs
Copy link
Copy Markdown
Contributor Author

BethGriggs commented May 20, 2024

Oh boo, this will not just work because:

yarn workspaces foreach will run a yarn command, not execute a CLI*. That means that this runs yarn npm publish in every package and not npm publish. This is crucial, because yarn npm publish is it's own separate CLI that doesn't support the --provenance flag
storybookjs/storybook#23917 (comment)

One option is to yarn pack and then npm publish. Thoughts? I do think enabling provenance would be useful as a means to track a build/publish to a specific commit in this repository.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Aug 31, 2024

This PR has been automatically marked as stale because it has not had recent activity from the author. It will be closed if no further activity occurs. If the PR was closed and you want it re-opened, let us know and we'll re-open the PR so that you can continue the contribution!

@github-actions github-actions Bot added the stale label Aug 31, 2024
@BethGriggs BethGriggs closed this Sep 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

stale

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@BethGriggs