From 782e686bc20b52201ef07e464c4786c35095822a Mon Sep 17 00:00:00 2001 From: Aaron Dewes Date: Wed, 3 Apr 2024 20:04:47 +0200 Subject: [PATCH] feat(security): Add provenance (#650) * Enable provenance in package.json * Add necessary permissions to the release workflow --- .github/workflows/release.yml | 7 +++++++ package.json | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eb9e6f66..60b26ce6 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -6,6 +6,13 @@ name: Release - next - beta - v*.x +# These are recommended by the semantic-release docs: https://github.com/semantic-release/npm#npm-provenance +permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance + jobs: release: name: release diff --git a/package.json b/package.json index bff07d30..e4d267ea 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,8 @@ "name": "@octokit/fixtures", "version": "0.0.0-development", "publishConfig": { - "access": "public" + "access": "public", + "provenance": true }, "description": "Fixtures for all the octokittens", "main": "index.js",