Skip to content

feat(ci): package-registry provenance#662

Merged
hyperpolymath merged 1 commit into
mainfrom
feat/package-provenance
Jun 25, 2026
Merged

feat(ci): package-registry provenance#662
hyperpolymath merged 1 commit into
mainfrom
feat/package-provenance

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

Adds native package-registry provenance to the publish workflows (additive, no behavioural change to a successful publish).

npm — .github/workflows/affine-vscode-publish.yml

Publishes @hyperpolymath/affine-vscode to public npmjs (registry.npmjs.org) via npm publish.

  • Added id-token: write to the workflow-level permissions: (kept contents: read). The workflow has a single publish job, so top-level permissions cover it.
  • Added --provenance to the publish command (kept existing --access public).
  • npm will now attach a signed provenance attestation (built via GitHub OIDC).
  • package.json already has a correct repository field (https://github.com/hyperpolymath/affinescript.git, directory packages/affine-vscode) — required for provenance, so nothing to fix.

JSR — .github/workflows/publish-jsr.yml

JSR records provenance automatically when run in GitHub Actions with id-token: write.

  • No change needed: the publish job already has permissions: contents: read + id-token: write (it relies on JSR OIDC and commits no token). deno publish needs no extra flag.

Notes / skips

  • No vsce/VS Code Marketplace publish exists in these workflows; the affine-vscode artefact is a genuine npm package consumed via require(...), so the npm-provenance pattern applies cleanly.
  • No GitHub Packages (npm.pkg.github.com) publish present — N/A.

🤖 Generated with Claude Code

@hyperpolymath hyperpolymath merged commit 15a2087 into main Jun 25, 2026
15 of 16 checks passed
@hyperpolymath hyperpolymath deleted the feat/package-provenance branch June 25, 2026 09:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant