Skip to content

fix(ci): remove --provenance #242

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ryoppippi merged 2 commits into from
Dec 15, 2025
Merged

fix(ci): remove --provenance #242

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
201a610
fix(ci): remove --provenance
ryoppippi Dec 15, 2025
c3f8462
chore: publish with npm
ryoppippi Dec 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 8 additions & 1 deletion .github/workflows/release.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,5 +41,12 @@ jobs:
registry-url: 'https://registry.npmjs.org'
node-version: lts/*

- name: 📦 Pack package
run: nix develop --command pnpm pack --no-git-checks

- name: 🚀 Publish package
run: nix develop --command pnpm publish --provenance --no-git-checks --access public
shell: bash
run: |
PACKAGE_TGZ=$(ls *.tgz | head -n 1)
Copy link

Copilot AI Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The command uses head -n 1 to select the first tarball, which could select an unexpected file if multiple .tgz files exist in the directory. Consider adding error handling to verify exactly one tarball exists, or use a more specific pattern like finding the tarball with the expected package name format.

Copilot uses AI. Check for mistakes.
echo "Publishing package: $PACKAGE_TGZ"
npm publish "$PACKAGE_TGZ" --access public
Comment on lines +44 to +52
Copy link

Copilot AI Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow switches from using pnpm to npm for publishing. The pack step uses pnpm, but the publish step uses npm. This inconsistency could lead to confusion and potential issues. Consider using the same package manager for both operations, or document why different tools are being used. Additionally, the prepack script in package.json is designed to work with pnpm, so using npm publish directly on the tarball bypasses the package manager alignment.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The removal of the --provenance flag eliminates npm's provenance attestation feature, which provides cryptographic verification of the package's origin and build process. This reduces supply chain security by removing the ability for consumers to verify that the published package was built in the expected CI environment. The id-token: write permission on line 28 suggests provenance was intentionally configured. If --provenance was removed due to errors, consider investigating and fixing the underlying issue rather than removing this security feature.

Suggested change
npm publish "$PACKAGE_TGZ" --access public
npm publish "$PACKAGE_TGZ" --access public --provenance

Copilot uses AI. Check for mistakes.
1 change: 1 addition & 0 deletions flake.nix
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@
devShells.default = pkgs.mkShell {
buildInputs = with pkgs; [
pnpm_10
nodejs_24
];

shellHook = ''
Expand Down
1 change: 0 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
"lint:oxfmt": "oxfmt --no-error-on-unmatched-pattern --check .",
"lint:oxlint": "oxlint --max-warnings=0 --type-aware --type-check",
"lint:knip": "knip",
"preinstall": "npx only-allow pnpm",
"prepack": "npm pkg delete scripts.preinstall && pnpm run build",
Copy link

Copilot AI Dec 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prepack script references scripts.preinstall, which was just removed on the line above. This will cause the npm pkg delete command to fail silently or produce an error since it's trying to delete a non-existent script. Either remove the npm pkg delete scripts.preinstall part from this script or keep the preinstall script.

Suggested change
"prepack": "npm pkg delete scripts.preinstall && pnpm run build",
"prepack": "pnpm run build",

Copilot uses AI. Check for mistakes.
"test": "vitest",
"coverage": "vitest run --coverage"
Expand Down
Loading