diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml index fbe34bc78..37a0a9e93 100644 --- a/.github/workflows/nodejs.yml +++ b/.github/workflows/nodejs.yml @@ -380,6 +380,12 @@ jobs: if: ${{ github.event_name == 'push' }} runs-on: ubuntu-latest + permissions: + contents: write # to be able to publish a GitHub release + issues: write # to be able to comment on released issues + pull-requests: write # to be able to comment on released pull requests + id-token: write # to enable use of OIDC for npm provenance + steps: - uses: actions/checkout@v4.1.7 @@ -391,6 +397,9 @@ jobs: - run: npm ci + - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies + run: npm audit signatures + - env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} NPM_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 5bad83fcf..ef2c8c894 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -8,11 +8,6 @@ jobs: release: name: Release runs-on: ubuntu-latest - permissions: - contents: write # to be able to publish a GitHub release - issues: write # to be able to comment on released issues - pull-requests: write # to be able to comment on released pull requests - id-token: write # to enable use of OIDC for npm provenance steps: - uses: actions/checkout@v4.1.7 @@ -21,8 +16,6 @@ jobs: with: node-version: 18 cache: 'npm' - - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies - run: npm audit signatures - name: Tag latest release run: | echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc diff --git a/package.json b/package.json index c8d41a7a1..09179841c 100644 --- a/package.json +++ b/package.json @@ -38,7 +38,8 @@ "node": ">=18" }, "publishConfig": { - "tag": "next" + "tag": "next", + "provenance": true }, "dependencies": { "@azure/core-auth": "^1.7.2",