Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: sign npm package #21608

Merged
merged 1 commit into from
Apr 19, 2023
Merged

feat: sign npm package #21608

merged 1 commit into from
Apr 19, 2023

Conversation

JamieMagee
Copy link
Contributor

@JamieMagee JamieMagee commented Apr 19, 2023
edited by viceice

Changes

Sign Renovate packages when published

Context

https://github.blog/2023-04-19-introducing-npm-package-provenance/

Documentation (please check one with an [x])

  • I have updated the documentation, or
  • No documentation update is required

How I've tested my work (please select one)

I have verified these changes via:

  • Code inspection only, or
  • Newly added/modified unit tests, or
  • No unit tests but ran on a real repository, or
  • Both unit tests + ran on a real repository

viceice
viceice approved these changes Apr 19, 2023
View reviewed changes
Copy link
Member

@viceice viceice left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are you sure this works with semantic release and will not blocked by npmjs?

@JamieMagee
Copy link
Contributor Author

are you sure this works with semantic release and will not blocked by npmjs?

semantic release uses npm directly to publish1 so it should work. And this feature is in public preview, so no configuration required. I just published @jamiemagee/provenance from GitHub actions with no configuration.

Footnotes

  1. https://github.com/semantic-release/npm/blob/9aa8c5e7874e4d550da395ffca4a4626dd001d2a/lib/publish.js#L23-L27

@JamieMagee
Copy link
Contributor Author

I'm going ahead with the merge, and will closely monitor the package publish.

@JamieMagee JamieMagee added this pull request to the merge queue Apr 19, 2023
Merged via the queue into main with commit bf035cb Apr 19, 2023
9 checks passed
@JamieMagee JamieMagee deleted the feat/sign-npm branch April 19, 2023 18:52
@renovate-release
Copy link
Collaborator

🎉 This PR is included in version 35.55.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@HonkingGoose HonkingGoose mentioned this pull request Apr 19, 2023
Closed
@travi
Copy link
Contributor

travi commented Apr 19, 2023
edited

excited to see you adopting this so quickly. i haven't even had the chance to update the docs for semantic-release for this quite yet. i can confirm that setting either in the .npmrc, like you have, or setting in publishConfig within the package.json both work as intended with semantic-release

@rarkins
Copy link
Collaborator

rarkins commented Apr 20, 2023
edited

The publish failed:

npm notice 
npm notice Publishing to https://registry.npmjs.org/ with tag latest and default access
npm ERR! code EUSAGE
npm ERR! Automatic provenance generation not supported outside of GitHub Actions

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/runner/.npm/_logs/2023-04-19T19_35_38_672Z-debug-0.log
Error: Process completed with exit code 1.

https://github.com/renovatebot/renovate/actions/runs/4747207723/jobs/8431810108

@JamieMagee
Copy link
Contributor Author

@rarkins fixed in #21612 already

@github-actions github-actions bot locked as resolved and limited conversation to collaborators May 21, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@viceice viceice viceice approved these changes

@secustor secustor secustor approved these changes

@rarkins rarkins Awaiting requested review from rarkins

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Sign our own npm package
6 participants
@JamieMagee @renovate-release @travi @rarkins @viceice @secustor