Pnpm publish with provenance flag doesn't work

[VividLemon]

pnpm version: 8.6

Code to reproduce the issue:

My previous line was pnpm publish --tag latest --filter @bootstrap-vue-next/nuxt --access=public --provenance

Expected behavior:

Publish with provenance

Actual behavior:

Did not

Additional information:

Github Action runner, ubuntu-latest , node 20

In order to fix the issue I had created this commit bootstrap-vue-next/bootstrap-vue-next@913cda8

The update worked.

The previous version that didn't worked was published at https://www.npmjs.com/package/bootstrap-vue-next/v/0.9.3 , with no provenance statement.

Today I published https://www.npmjs.com/package/bootstrap-vue-next/v/0.9.4 , with the above commit, and it worked.

[markmartirosian]

seeing the same issue

[zkochan]

pnpm actually runs npm CLI for publish. So it is just passing through the --provenance option to npm. Maybe you have an old version of npm that doesn't support provenance?

[VividLemon]

pnpm actually runs npm CLI for publish. So it is just passing through the --provenance option to npm. Maybe you have an old version of npm that doesn't support provenance?

It should just be whatever version is on the github actions. Assuming its not auto installed by the action, it would be whatever's included in node 20

[andrskr]

Could be helpful to add this to your package.json (you don't need to add --provenance flag in this case)

"publishConfig": {
    "access": "public",
    "provenance": true
  },

[VividLemon]

I don't really know what the issue is. Nor can I really speak much to the issue as I stopped using the syntax as I preferred the https://github.com/bootstrap-vue-next/bootstrap-vue-next/blob/main/.github/workflows/release-main.yaml#L82 syntax

[Nickersoft]

Just wanted to chime in that I'm also encountering an issue where it seems like PNPM is straight-up ignoring the flags I pass to publish:

Passing the same tag and access flags to npm publish directly works fine:

[hi-ogawa]

It looks like argument handling is quite different for "recursive publish" case and the npm flag delegations are manually done only for limited set of flags:

pnpm/releasing/plugin-commands-publishing/src/recursivePublish.ts

Lines 92 to 101 in 4001982

	const appendedArgs: string[] = []
	if (opts.cliOptions['access']) {
	appendedArgs.push(`--access=${opts.cliOptions['access'] as string}`)
	}
	if (opts.dryRun) {
	appendedArgs.push('--dry-run')
	}
	if (opts.cliOptions['otp']) {
	appendedArgs.push(`--otp=${opts.cliOptions['otp'] as string}`)
	}

When directly publishing .tgz, that's also in a different code path, so it's possible that the flag handling works slightly differently:

pnpm/releasing/plugin-commands-publishing/src/publish.ts

Lines 186 to 189 in 4001982

	if ((params.length > 0) && params[0].endsWith('.tgz')) {
	const { status } = runNpm(opts.npmPath, ['publish', ...params])
	return { exitCode: status ?? 0 }
	}

[ndom91]

There's also a NPM_CONFIG_PROVENANCE: true env var you can pass during pnpm publish which should enable this. Nuxt seems to be using this method with pnpm