diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 82d441212..05f8454fd 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -38,6 +38,12 @@ # Trusted publishing requires Node >= 22.14.0 and npm >= 11.5.1, which is why # we pin `node-version: latest` here. The `id-token: write` permission below # is what allows GitHub Actions to mint the OIDC token npm uses to verify us. +# +# Provenance: each publishable package sets `publishConfig.provenance: true` in +# its package.json, so `npm publish` (invoked by `changeset publish`) generates +# npm provenance attestations. This relies on the `id-token: write` permission +# and a GitHub-hosted runner. See: +# https://docs.npmjs.com/generating-provenance-statements name: Release diff --git a/packages/blob/package.json b/packages/blob/package.json index d9503e3fa..705c7eeb0 100644 --- a/packages/blob/package.json +++ b/packages/blob/package.json @@ -8,6 +8,9 @@ "url": "https://github.com/vercel/storage.git", "directory": "packages/blob" }, + "publishConfig": { + "provenance": true + }, "license": "Apache-2.0", "sideEffects": false, "type": "module", diff --git a/packages/edge-config-fs/package.json b/packages/edge-config-fs/package.json index 559f6248e..354ec272b 100644 --- a/packages/edge-config-fs/package.json +++ b/packages/edge-config-fs/package.json @@ -8,6 +8,9 @@ "url": "https://github.com/vercel/storage.git", "directory": "packages/edge-config-fs" }, + "publishConfig": { + "provenance": true + }, "license": "Apache-2.0", "sideEffects": false, "type": "module", diff --git a/packages/edge-config/package.json b/packages/edge-config/package.json index 335d265e9..d12194138 100644 --- a/packages/edge-config/package.json +++ b/packages/edge-config/package.json @@ -8,6 +8,9 @@ "url": "https://github.com/vercel/storage.git", "directory": "packages/edge-config" }, + "publishConfig": { + "provenance": true + }, "license": "Apache-2.0", "sideEffects": false, "type": "module",