Skip to content

chore(ci): bump lerna & add provenance config #1541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 22, 2023
Merged

chore(ci): bump lerna & add provenance config #1541

merged 1 commit into from
Jun 22, 2023

Conversation

dreamorosi
Copy link
Contributor

Description of your changes

This PR introduces the necessary changes to publish packages to npmjs.com together with a provenance statement backed by Sigstore.

Specifically, the PR:

  • bumps lerna (package used to publish) to version 6.6.2 which is the version that introduced support for the feature
  • adds two permissions to the publish-npm job, according to the npm docs on the topic: https://docs.npmjs.com/generating-provenance-statements
  • sets an environment variable NPM_CONFIG_PROVENANCE=true, which according to the npm docs & the lerna maintainers should instruct the script to publish a provenance statement.

Related issues, RFCs

Issue number: closes #1436

Checklist

  • My changes meet the tenets criteria
  • I have performed a self-review of my own code
  • I have commented my code where necessary, particularly in areas that should be flagged with a TODO, or hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my change is effective and works
  • The PR title follows the conventional commit semantics

Breaking change checklist

Is it a breaking change?: NO

  • I have documented the migration process
  • I have added, implemented necessary warnings (if it can live side by side)

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.

@dreamorosi dreamorosi requested a review from sthulb June 22, 2023 10:44
@dreamorosi dreamorosi self-assigned this Jun 22, 2023
@dreamorosi dreamorosi linked an issue Jun 22, 2023 that may be closed by this pull request
Maintenance: update lerna and implement npm provenance #1436
Closed
2 tasks
@boring-cyborg boring-cyborg bot added automation This item relates to automation dependencies Changes that touch dependencies, e.g. Dependabot, etc. labels Jun 22, 2023
@pull-request-size pull-request-size bot added the size/S PR between 10-29 LOC label Jun 22, 2023
sthulb
sthulb approved these changes Jun 22, 2023
View reviewed changes
Copy link
Contributor

@sthulb sthulb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I see no issues with the permissions elevation after reviewing the docs

@dreamorosi dreamorosi merged commit 855976d into main Jun 22, 2023
@dreamorosi dreamorosi deleted the 1436-maintenance-update-lerna-and-implement-npm-provenance branch June 22, 2023 11:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sthulb sthulb sthulb approved these changes

Assignees

@dreamorosi dreamorosi

Labels
automation This item relates to automation dependencies Changes that touch dependencies, e.g. Dependabot, etc. size/S PR between 10-29 LOC
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Maintenance: update lerna and implement npm provenance
2 participants
@dreamorosi @sthulb