Use npm instead of yarn to publish with provenance (#279)

jtbandes · web-flow · commit e1c62ec13753 · 2024-04-05T20:40:02.000-07:00
### Changelog None ### Description Follow-up from #278. It appears `yarn npm publish` does not support `--provenance` (yarnpkg/berry#5430). Per yarnpkg/berry#5430 (comment) this can be worked around by using `yarn pack` with `npm publish`.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -31,11 +31,13 @@ jobs:
       - run: yarn run lint:ci
       - run: yarn run test
 
+      - run: yarn pack
       - name: Publish to NPM
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        run: yarn npm publish --provenance --access public
+        # `yarn npm publish` does not currently support --provenance: https://github.com/yarnpkg/berry/issues/5430
+        run: npm publish package.tgz --provenance --access public
         env:
-          YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
 
   chromatic:
     runs-on: ubuntu-latest
diff --git a/.gitignore b/.gitignore
@@ -11,3 +11,4 @@ node_modules/
 !.yarn/releases
 !.yarn/sdks
 !.yarn/versions
+package.tgz
