ci(release): add sigstore npm integration through --provenance #3622
Conversation
Primary Changes ---------------- 1. Added provenance config to the publish workflows. Fixes hyperledger-cacti#2623 Signed-off-by: adrianbatuto <[email protected]>
|
The config added in this PR have been tested as I published to npm using the workflows with my personal npm token. Please see the screenshots below of the two published packages with provenance. @adrianbatuto/cactus-common @adrianbatuto/cactus-core-api |
adrianbatuto
requested review from
petermetz,
izuru0,
jagpreetsinghsasan,
VRamakrishna,
sandeepnRES and
outSH
as code owners
There was a problem hiding this comment.
@adrianbatuto Thank you! Could you please confirm that you've published the packages on the screenshots with the .github/workflows/all-nodejs-packages-publish.yaml workflow and not the other one?
If no, then please double check that the mentioned workflow is working as well and then pass it back for review!
@petermetz, I was also able to publish with provenance using all-nodejs-packages-publish.yaml. https://github.com/adrianbatuto/cacti/actions/runs/11801663866 |
There was a problem hiding this comment.
@adrianbatuto Thank you for confirming, in that case we are good to go from my side!
Commit to be reviewed
ci(release): add sigstore npm integration through --provenance
Fixes #2623
Pull Request Requirements
upstream/mainbranch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.-sflag when usinggit commitcommand. You may refer to this link for more information.Character Limit
A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.