Skip to content

ci: add npm publish workflow with provenance#18

Merged
msluszniak merged 1 commit into
mainfrom
@ms/npm-provenance-publish
May 21, 2026
Merged

ci: add npm publish workflow with provenance#18
msluszniak merged 1 commit into
mainfrom
@ms/npm-provenance-publish

Conversation

@msluszniak

Copy link
Copy Markdown
Contributor

Summary

Adds a manual-trigger publish.yml workflow built on top of software-mansion/npm-package-publish, and the package.json fields it needs to produce a valid provenance attestation.

What changed

  • New .github/workflows/publish.ymlworkflow_dispatch only. Inputs: package (dropdown of the three published packages), release-type (stable / nightly / beta / alpha / rc), explicit version, perform-git-operations, and dry-run (defaults to true).
  • repository (with directory subpath) and publishConfig.access: public added to both scoped sub-packages — required for provenance on monorepo packages and for npm to allow publishing scoped packages publicly.
  • publishConfig.access: public added to the root for consistency.

Before merging

  1. Configure a Trusted Publisher on npm for each of the three packages — pointing at this repo + publish.yml. The package settings must also use the 2FA mode that allows trusted publishing (the default "Require 2FA and disallow tokens" is fine — Trusted Publishing is not token-based).
  2. First run should be done with dry-run: true to validate the OIDC handshake.

Notes

  • Each workflow run publishes a single package. For a coordinated release, run it three times. Only one of those runs should have perform-git-operations: true to avoid duplicate tag pushes.
  • The action is pinned to a specific commit SHA, per its setup guide.

- Add manual-trigger publish.yml using software-mansion/npm-package-publish
- Add repository and publishConfig fields to scoped sub-packages so
  provenance attestations can be generated
- Set publishConfig.access to public on the root package for consistency
@msluszniak msluszniak merged commit d7a9065 into main May 21, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants