feat(security): Add provenance (#916)

AaronDewes · wolfy1339 · web-flow · commit b28ee220ca96 · 2024-04-03T18:12:30.000Z
* Enable provenance in package.json

* Add necessary permissions to the release workflow

* Adapt PR

---------

Co-authored-by: wolfy1339 &lt;webmaster@wolfy1339.com&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,13 @@
       - main
       - beta
 name: Release
+# These are recommended by the semantic-release docs: https://github.com/semantic-release/npm#npm-provenance
+permissions:
+    contents: write # to be able to publish a GitHub release
+    issues: write # to be able to comment on released issues
+    pull-requests: write # to be able to comment on released pull requests
+    id-token: write # to enable use of OIDC for npm provenance
+
 jobs:
   build:
     name: release
diff --git a/package.json b/package.json
@@ -91,8 +91,5 @@
     "turndown": "^7.1.1",
     "typescript": "^5.0.0",
     "yargs": "^17.3.1"
-  },
-  "publishConfig": {
-    "access": "public"
   }
 }
diff --git a/payload-examples/package.json b/payload-examples/package.json
@@ -18,6 +18,7 @@
   },
   "devDependencies": {},
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   }
 }
diff --git a/payload-schemas/package.json b/payload-schemas/package.json
@@ -14,6 +14,7 @@
   "dependencies": {},
   "devDependencies": {},
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   }
 }
diff --git a/payload-types/package.json b/payload-types/package.json
@@ -15,6 +15,7 @@
   "dependencies": {},
   "devDependencies": {},
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -91,8 +91,5 @@`
`91`	`91`	`"turndown": "^7.1.1",`
`92`	`92`	`"typescript": "^5.0.0",`
`93`	`93`	`"yargs": "^17.3.1"`
`94`		`- },`
`95`		`- "publishConfig": {`
`96`		`- "access": "public"`
`97`	`94`	`}`
`98`	`95`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,6 +18,7 @@`
`18`	`18`	`},`
`19`	`19`	`"devDependencies": {},`
`20`	`20`	`"publishConfig": {`
`21`		`- "access": "public"`
	`21`	`+ "access": "public",`
	`22`	`+ "provenance": true`
`22`	`23`	`}`
`23`	`24`	`}`
Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,7 @@`
`14`	`14`	`"dependencies": {},`
`15`	`15`	`"devDependencies": {},`
`16`	`16`	`"publishConfig": {`
`17`		`- "access": "public"`
	`17`	`+ "access": "public",`
	`18`	`+ "provenance": true`
`18`	`19`	`}`
`19`	`20`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`"dependencies": {},`
`16`	`16`	`"devDependencies": {},`
`17`	`17`	`"publishConfig": {`
`18`		`- "access": "public"`
	`18`	`+ "access": "public",`
	`19`	`+ "provenance": true`
`19`	`20`	`}`
`20`	`21`	`}`