feat(security): Add provenance (#206)

* Enable provenance in package.json * Add necessary permissions to the release workflow * Adapt sub-packages --------- Co-authored-by: wolfy1339 <[email protected]>
octokit · Apr 3, 2024 · 8a1e339 · 8a1e339
1 parent 744a9b0
commit 8a1e339
Show file tree

Hide file tree

Showing 43 changed files with 89 additions and 39 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -3,6 +3,13 @@ name: Release
   push:
     branches:
       - main
+# These are recommended by the semantic-release docs: https://github.com/semantic-release/npm#npm-provenance
+permissions:
+    contents: write # to be able to publish a GitHub release
+    issues: write # to be able to comment on released issues
+    pull-requests: write # to be able to comment on released pull requests
+    id-token: write # to enable use of OIDC for npm provenance
+
 jobs:
   release:
     name: release

diff --git a/package.json b/package.json
@@ -289,5 +289,8 @@
   "engines": {
     "node": ">=16.5.0",
     "npm": ">=7.17.0"
+  },
+  "publishConfig": {
+    "provenance": true
   }
 }
diff --git a/packages/auth-token/package.json b/packages/auth-token/package.json
@@ -1,7 +1,8 @@
 {
   "name": "@octokit-next/auth-token",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "type": "module",
   "version": "0.0.0-development",

diff --git a/packages/core/package.json b/packages/core/package.json
@@ -1,7 +1,8 @@
 {
   "name": "@octokit-next/core",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "type": "module",
   "version": "0.0.0-development",

diff --git a/packages/endpoint/package.json b/packages/endpoint/package.json
@@ -2,7 +2,8 @@
   "name": "@octokit-next/endpoint",
   "version": "0.0.0-development",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "type": "module",
   "description": "Turns REST API endpoints into generic request options",

diff --git a/packages/graphql/package.json b/packages/graphql/package.json
@@ -2,7 +2,8 @@
   "name": "@octokit-next/graphql",
   "version": "0.0.0-development",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "type": "module",
   "description": "GitHub GraphQL API client for browsers and Node",

diff --git a/packages/oauth-authorization-url/package.json b/packages/oauth-authorization-url/package.json
@@ -1,7 +1,8 @@
 {
   "name": "@octokit-next/oauth-authorization-url",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "type": "module",
   "version": "0.0.0-development",

diff --git a/packages/oauth-methods/package.json b/packages/oauth-methods/package.json
@@ -1,7 +1,8 @@
 {
   "name": "@octokit-next/oauth-methods",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "type": "module",
   "version": "0.0.0-development",

diff --git a/packages/request-error/package.json b/packages/request-error/package.json
@@ -2,7 +2,8 @@
   "name": "@octokit-next/request-error",
   "version": "0.0.0-development",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "type": "module",
   "description": "Error class for Octokit request errors",

diff --git a/packages/request/package.json b/packages/request/package.json
@@ -2,7 +2,8 @@
   "name": "@octokit-next/request",
   "version": "0.0.0-development",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "type": "module",
   "description": "Simplified version of `@octokit/request` to experiment with ESM and types",

diff --git a/packages/types-openapi-ghec-diff-to-api.github.com/package.json b/packages/types-openapi-ghec-diff-to-api.github.com/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghec-diff-to-api.github.com"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghec/package.json b/packages/types-openapi-ghec/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghec"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.2-diff-to-ghes-3.3/package.json b/packages/types-openapi-ghes-3.2-diff-to-ghes-3.3/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.2-diff-to-ghes-3.3"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.2/package.json b/packages/types-openapi-ghes-3.2/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.2"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.3-diff-to-ghes-3.4/package.json b/packages/types-openapi-ghes-3.3-diff-to-ghes-3.4/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.3-diff-to-ghes-3.4"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.3/package.json b/packages/types-openapi-ghes-3.3/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.3"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.4-diff-to-ghes-3.5/package.json b/packages/types-openapi-ghes-3.4-diff-to-ghes-3.5/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.4-diff-to-ghes-3.5"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.4/package.json b/packages/types-openapi-ghes-3.4/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.4"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.5-diff-to-ghes-3.6/package.json b/packages/types-openapi-ghes-3.5-diff-to-ghes-3.6/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.5-diff-to-ghes-3.6"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.5/package.json b/packages/types-openapi-ghes-3.5/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.5"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.6-diff-to-api.github.com/package.json b/packages/types-openapi-ghes-3.6-diff-to-api.github.com/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.6-diff-to-api.github.com"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-ghes-3.6/package.json b/packages/types-openapi-ghes-3.6/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-ghes-3.6"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-github.ae-diff-to-api.github.com/package.json b/packages/types-openapi-github.ae-diff-to-api.github.com/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-github.ae-diff-to-api.github.com"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi-github.ae/package.json b/packages/types-openapi-github.ae/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi-github.ae"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-openapi/package.json b/packages/types-openapi/package.json
@@ -7,7 +7,8 @@
     "directory": "packages/types-openapi"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "version": "0.0.0-development",
   "types": "index.d.ts",

diff --git a/packages/types-rest-api-ghec-compatible/package.json b/packages/types-rest-api-ghec-compatible/package.json
@@ -13,7 +13,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghec-compatible",

diff --git a/packages/types-rest-api-ghec/package.json b/packages/types-rest-api-ghec/package.json
@@ -16,7 +16,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghec",

diff --git a/packages/types-rest-api-ghes-3.2-compatible/package.json b/packages/types-rest-api-ghes-3.2-compatible/package.json
@@ -13,7 +13,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.2-compatible",

diff --git a/packages/types-rest-api-ghes-3.2/package.json b/packages/types-rest-api-ghes-3.2/package.json
@@ -17,7 +17,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.2",

diff --git a/packages/types-rest-api-ghes-3.3-compatible/package.json b/packages/types-rest-api-ghes-3.3-compatible/package.json
@@ -13,7 +13,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.3-compatible",

diff --git a/packages/types-rest-api-ghes-3.3/package.json b/packages/types-rest-api-ghes-3.3/package.json
@@ -17,7 +17,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.3",

diff --git a/packages/types-rest-api-ghes-3.4-compatible/package.json b/packages/types-rest-api-ghes-3.4-compatible/package.json
@@ -13,7 +13,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.4-compatible",

diff --git a/packages/types-rest-api-ghes-3.4/package.json b/packages/types-rest-api-ghes-3.4/package.json
@@ -17,7 +17,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.4",

diff --git a/packages/types-rest-api-ghes-3.5-compatible/package.json b/packages/types-rest-api-ghes-3.5-compatible/package.json
@@ -13,7 +13,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.5-compatible",

diff --git a/packages/types-rest-api-ghes-3.5/package.json b/packages/types-rest-api-ghes-3.5/package.json
@@ -17,7 +17,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.5",

diff --git a/packages/types-rest-api-ghes-3.6-compatible/package.json b/packages/types-rest-api-ghes-3.6-compatible/package.json
@@ -13,7 +13,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.6-compatible",

diff --git a/packages/types-rest-api-ghes-3.6/package.json b/packages/types-rest-api-ghes-3.6/package.json
@@ -16,7 +16,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-ghes-3.6",

diff --git a/packages/types-rest-api-github.ae-compatible/package.json b/packages/types-rest-api-github.ae-compatible/package.json
@@ -13,7 +13,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-github.ae-compatible",

diff --git a/packages/types-rest-api-github.ae/package.json b/packages/types-rest-api-github.ae/package.json
@@ -16,7 +16,8 @@
     "openapi-version": "8.0.1"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "repository": {
     "directory": "packages/types-rest-api-github.ae",