[Feature] Add support for yarn npm publish --provenance and publishConfig.provenance option
#5430
Comments
|
Hi, did this feature get any traction? We're interested in using yarn for publishing provenance as well. For context, we currently use |
|
For impatient ones: you can pack your package using Yarn, but publish it using npm. This way you can still e.g. use Yarn plugins. Only at the very last moment you pass the job on to npm, to publish prepared Here's how I did it: |
|
I quickly checked the code that publishes packages. It looks like that I am thrilled to see this feature implemented in |
### Changelog None ### Description Follow-up from #278. It appears `yarn npm publish` does not support `--provenance` (yarnpkg/berry#5430). Per yarnpkg/berry#5430 (comment) this can be worked around by using `yarn pack` with `npm publish`.
|
Hi folks, I have opened #6750 to add a You can try it out now and provide feedback by running the following command in your repository: |
## What's the problem this PR addresses? <!-- Describe the rationale of your PR. --> <!-- Link all issues that it closes. (Closes/Resolves #xxxx.) --> Hi! I added support for provenance to `yarn npm publish`. Closes #5430 ## How did you fix it? <!-- A detailed description of your implementation. --> Adapted code from npm to produce a provenance signature in supported CI environment. ## Checklist <!--- Don't worry if you miss something, chores are automatically tested. --> <!--- This checklist exists to help you remember doing the chores when you submit a PR. --> <!--- Put an `x` in all the boxes that apply. --> - [x] I have read the [Contributing Guide](https://yarnpkg.com/advanced/contributing). <!-- See https://yarnpkg.com/advanced/contributing#preparing-your-pr-to-be-released for more details. --> <!-- Check with `yarn version check` and fix with `yarn version check -i` --> - [x] I have set the packages that need to be released for my changes to be effective. <!-- The "Testing chores" workflow validates that your PR follows our guidelines. --> <!-- If it doesn't pass, click on it to see details as to what your PR might be missing. --> - [x] I will check that all automated PR checks pass before the PR gets reviewed. ## Next steps - Update https://github.com/npm/documentation/blob/c2efb649816e27d37b37da2b21200e4c9ade0d17/content/packages-and-modules/securing-your-code/generating-provenance-statements.mdx?plain=1#L124
Describe the user story
npm has recently announced npm provenance public beta. At the moment, the command
yarn npm publish --provenanceproduces and error, whilepublishConfig.provenanceis nowhere to be found in the docs, meaning - it may or may not work, who knows?Describe the solution you'd like
Support and document
--provenanceflag inyarn npm publishcommandSupport and document
publishConfig.provenanceoption inpackage.jsonDescribe the drawbacks of your solution
None that I know of
Describe alternatives you've considered
npm publish --provenance, but that doesn't allow me to use custom hooks I've implemented using Yarn plugins.The text was updated successfully, but these errors were encountered: