Publish: Add npm provenance attestations

[Copilot]

Storybook packages published to npm lack provenance attestations, meaning consumers cannot verify which repo/commit/workflow run produced a given tarball, and npm audit signatures has nothing to check against.

Changes

• scripts/release/publish.ts: Added --provenance flag to the yarn npm publish command used when publishing all workspace packages.

The workflow already had id-token: write permission for OIDC, so this flag is the only missing piece. Going forward, each published package will include a signed provenance statement linking it to the source commit and workflow run.

Summary by CodeRabbit

• Chores
  • Enhanced package publishing security configuration to improve release authenticity and verification across distribution channels.

Summary by CodeRabbit

• Chores
  • Updated package publishing process to include additional metadata with published packages across all workspaces.

[github-actions]

	Fails
🚫	PR description is missing the mandatory "#### Manual testing" section. Please add it so that reviewers know how to manually test your changes.

Generated by 🚫 dangerJS against 8ab3ef6

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 92f949bb-1c7c-4839-84e1-357510db3b19

📥 Commits

Reviewing files that changed from the base of the PR and between 4504278 and 8ab3ef6.

📒 Files selected for processing (1)

• scripts/release/publish.ts

---

📝 Walkthrough

Walkthrough

The pull request adds the --provenance flag to the npm publish command in the release publish script. This single-line modification enables npm provenance support when publishing all workspace packages, with no other changes to publish configuration or retry behavior.

Changes

NPM Provenance Flag in Publish Script

Layer / File(s)	Summary
Add --provenance to npm publish command scripts/release/publish.ts	The npm publish command is updated to include the --provenance flag when publishing workspace packages, enabling Provenance Statements attestation without modifying other publish arguments or retry logic.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related issues

• [Bug]: Storybook packages are published to npm without provenance attestations #34923: Adds --provenance flag to npm publish invocation to enable npm provenance on releases as requested.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/publish.yml:
- Line 109: The publish workflow sets NPM_CONFIG_PROVENANCE but Yarn requires
YARN_NPM_CONFIG_PROVENANCE (or npmPublishProvenance in .yarnrc.yml) when running
yarn ... npm publish; update the environment variable in
.github/workflows/publish.yml (replace NPM_CONFIG_PROVENANCE: true with
YARN_NPM_CONFIG_PROVENANCE: true at both occurrences) or alternatively set
npmPublishProvenance in .yarnrc.yml or export YARN_NPM_CONFIG_PROVENANCE before
invoking the script referenced by scripts/release/publish.ts so Yarn actually
enables provenance during publish.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c37fd67-d6f7-45e1-a6b4-ab566c2006b7

📥 Commits

Reviewing files that changed from the base of the PR and between 2221849 and cf9b0ed.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

[JReinhold]

@copilot this didn't work for some reason, there is still not provenance on the published package. try adding the CLI flag instead, to the place where we call the publish CLI command.

[Copilot]

@copilot this didn't work for some reason, there is still not provenance on the published package. try adding the CLI flag instead, to the place where we call the publish CLI command.

Added --provenance directly to the yarn npm publish command in scripts/release/publish.ts, and removed the env var from the workflow. See commit
for the change.

[JReinhold]

Using the environment variables for some reason didn't make a difference, but adding the --provenance flag to the publish command worked:

https://www.npmjs.com/package/storybook/v/0.0.0-pr-34936-sha-8ab3ef66#provenance

This has the side-effect that trying to publish from local is very likely going to fail, because you can't do provenance from a local computer. But that's okay, we don't have a scenario where a local publish is necessary today. Even security backports are being released from GH Actions today.