From e23aebc54a5b55228dd4ca45946c470b0c72bc82 Mon Sep 17 00:00:00 2001 From: JP Lomas Date: Mon, 4 May 2026 18:53:02 +0100 Subject: [PATCH] fix: SLSA provenance to package releases Signed-off-by: JP Lomas --- .github/workflows/release.yml | 6 ++++-- RELEASE.md | 12 ++++++++++++ 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index c1ea71b8..1f570b59 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -220,7 +220,8 @@ jobs: dist/checksums-sha512.txt \ dist/sbom-spdx.json \ dist/sbom-cyclonedx.json \ - --clobber + --clobber \ + --repo "${GITHUB_REPOSITORY}" done < dist/released-packages.tsv slsa-subjects: @@ -285,5 +286,6 @@ jobs: while IFS=$'\t' read -r _package_path _package_name _package_version release_tag _tarball_name; do gh release upload "${release_tag}" \ dist/provenance.intoto.jsonl \ - --clobber + --clobber \ + --repo "${GITHUB_REPOSITORY}" done < dist/released-packages.tsv diff --git a/RELEASE.md b/RELEASE.md index 568a2d81..7a27e1e3 100644 --- a/RELEASE.md +++ b/RELEASE.md @@ -41,6 +41,18 @@ Release-triggering commits: Non-release changes should use prefixes such as `docs:`, `test:`, `ci:`, `chore:`, `refactor:`, or `style:`. +## Keeping Package Versions In Sync + +`multi-semantic-release` releases packages based on committed changes in each package path. If maintainers need to deliberately keep all publishable package versions aligned, run this locally before opening the release-prep PR: + +```sh +pnpm run release:touch-packages +``` + +This writes a package-local `.release-touch` marker into every publishable package. Commit those marker changes with a release-triggering Conventional Commit such as `fix(release): refresh package release markers`. The marker files are intentionally outside the package `files` allowlists and are excluded from npm tarballs. + +Do not run `release:touch-packages` inside the release workflow. Uncommitted files created by CI are not part of the commit history analyzed by semantic-release and should not be used to force package releases. + ## Pre-Release Requirements Before setting `RELEASES_ENABLED=true`, the release owner must confirm: