Support NPM Package Provenance

[sachaw]

Hi, could we please have an option that sets the --provenance flag as outlined in:
https://github.blog/2023-04-19-introducing-npm-package-provenance/

Thanks.

[mcous]

I'll look into adding official support via an option, but in the mean time, provenance should already work! As noted in the npm documentation, since this action calls npm publish directly, you can configure the provenance option a few different ways:

1. An environment variable
2. the publishConfig option of package.json
3. a project-local .npmrc file for the project.

All three should be compatible with this action, and I recommend option 2 - the package.json field - for portability.

Manifest:

{
  "name": "my-cool-package",
  "version": "1.2.3",
  "publishConfig": {
    "provenance": true
  }
}

Workflow:

name: Publish package to npm with provenance
on:
 push:
   branches: [main]
jobs:
 build:
   runs-on: ubuntu-latest
   permissions:
     contents: read
     id-token: write
   steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
       with:
         node-version: '18'
     - run: npm install -g npm@latest
     - run: npm ci
     - uses: JS-DevTools/npm-publish@v2
       with:
         token: ${{ secrets.NPM_TOKEN }}

[sachaw]

Excellent, Big thanks for the solutions

[sachaw]

Update, option 2 isn't working for me:

Automatic provenance generation not supported outside of GitHub Actions

For reference, here's the repo: https://github.com/meshtastic/js

[mcous]

It looks like your CI workflow does not do three things that are present in the example workflow from the npm docs.

1. Configure the id-token: write permission
2. Use actions/setup-node to put a specific version of Node in the PATH
3. Upgrade to the latest version of npm

I haven't tried this myself, but it's my understanding that (1) is required. (2) and (3) may be as well.

I'd recommend giving the npm docs another read through to check your specific setup. Otherwise, I'll be able to take a closer look at this in a few days, since I'll be wanting publish provenance configured here, too

[sachaw]

The setup-node is required as npm publish is called.
Is there any scope to add a flag that lets your choose your command prefix/package manager?
i.e.:

- uses: JS-DevTools/npm-publish@v2
       with:
         token: ${{ secrets.NPM_TOKEN }}
         package-manager: pnpm

as most of the package manager alternatives are npm compatible anyways, it should just be a matter of changing the command.

[mcous]

The setup-node is required as npm publish is called.

Cool, I appreciate you being the guinea pig on this one!

Is there any scope to add a flag that lets your choose your command prefix/package manager?

I'm not sure, and I'm a little hesitant to add that feature. It wouldn't necessarily be trivial, since we read and parse the output of npm, so a different package manager could require bespoke output-parsing logic.

With pnpm in particular, I believe pnpm publish --recursive can replace this action entirely, since it does similar "publish versions that do net yet exist in the registry" logic. Where possible, I think relying on your existing toolchain to publish rather than pulling in another tool like this action is generally preferable

[sachaw]

Great, thanks for the feedback

[mcous]

This feature has been merged, and will be released with version 2.1.0 tomorrow morning, eastern US time

[shyim]

I tried this out and it does not seems to work. Did I missed something? https://github.com/shopware/admin-extension-sdk/actions/runs/4977275682/jobs/8906158681#step:8:5

[mcous]

@shyim I haven't sat down at my computer and verified this yet, but my best guess is that you're not using a new enough version of the npm CLI. Your action configuration uses Node v16 and does not upgrade npm to a later version.

Node v16 currently ships with npm version 8.x.x, but provenance requires at least version 9.5.0. Node v18 and v20 both ship with npm >=9.5, or you could add an npm install -g npm@latest step (or use an explicit version, if you prefer) to your workflow

This package publishes itself to npm with provenance (using publishConfig in package.json) so you can reference its workflow file as an example

---

Edit: I have confirmed that npm does not complain about unknown command line arguments, so if you attempt to use --provenance with an old version of npm, it will happily publish your package without complaint. I'll update the docs with this note