semantic-release 21.0.1 → 21.0.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -6,6 +6,11 @@ The [Authentication](../../usage/ci-configuration.md#authentication) environment
|
|
|
6
6
|
|
|
7
7
|
In this example a publish type [`NPM_TOKEN`](https://docs.npmjs.com/creating-and-viewing-authentication-tokens) is required to publish a package to the npm registry. GitHub Actions [automatically populate](https://help.github.com/en/articles/virtual-environments-for-github-actions#github_token-secret) a [`GITHUB_TOKEN`](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) environment variable which can be used in Workflows.
|
|
8
8
|
|
|
9
|
+
## npm provenance
|
|
10
|
+
|
|
11
|
+
Since GitHub Actions is a [supported provider](https://docs.npmjs.com/generating-provenance-statements#provenance-limitations) for [npm provenance](https://docs.npmjs.com/generating-provenance-statements), it is recommended to enable this to increase supply-chain security for your npm packages.
|
|
12
|
+
Find more detail about configuring npm to publish with provenance through semantic-release [in the documentation for our npm plugin](https://github.com/semantic-release/npm#npm-provenance).
|
|
13
|
+
|
|
9
14
|
## Node project configuration
|
|
10
15
|
|
|
11
16
|
[GitHub Actions](https://github.com/features/actions) support [Workflows](https://help.github.com/en/articles/configuring-workflows), allowing to run tests on multiple Node versions and publish a release only when all test pass.
|
|
@@ -23,10 +28,19 @@ on:
|
|
|
23
28
|
push:
|
|
24
29
|
branches:
|
|
25
30
|
- master
|
|
31
|
+
|
|
32
|
+
permissions:
|
|
33
|
+
contents: read # for checkout
|
|
34
|
+
|
|
26
35
|
jobs:
|
|
27
36
|
release:
|
|
28
37
|
name: Release
|
|
29
38
|
runs-on: ubuntu-latest
|
|
39
|
+
permissions:
|
|
40
|
+
contents: write # to be able to publish a GitHub release
|
|
41
|
+
issues: write # to be able to comment on released issues
|
|
42
|
+
pull-requests: write # to be able to comment on released pull requests
|
|
43
|
+
id-token: write # to enable use of OIDC for npm provenance
|
|
30
44
|
steps:
|
|
31
45
|
- name: Checkout
|
|
32
46
|
uses: actions/checkout@v3
|
|
@@ -37,7 +51,9 @@ jobs:
|
|
|
37
51
|
with:
|
|
38
52
|
node-version: "lts/*"
|
|
39
53
|
- name: Install dependencies
|
|
40
|
-
run: npm
|
|
54
|
+
run: npm clean-install
|
|
55
|
+
- name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
|
|
56
|
+
run: npm audit signatures
|
|
41
57
|
- name: Release
|
|
42
58
|
env:
|
|
43
59
|
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "semantic-release",
|
|
3
3
|
"description": "Automated semver compliant package publishing",
|
|
4
|
-
"version": "21.0.
|
|
4
|
+
"version": "21.0.2",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"author": "Stephan Bönnemann <stephan@boennemann.me> (http://boennemann.me)",
|
|
7
7
|
"ava": {
|
|
@@ -30,7 +30,7 @@
|
|
|
30
30
|
"@semantic-release/error": "^3.0.0",
|
|
31
31
|
"@semantic-release/github": "^8.0.0",
|
|
32
32
|
"@semantic-release/npm": "^10.0.2",
|
|
33
|
-
"@semantic-release/release-notes-generator": "^
|
|
33
|
+
"@semantic-release/release-notes-generator": "^11.0.0",
|
|
34
34
|
"aggregate-error": "^4.0.1",
|
|
35
35
|
"cosmiconfig": "^8.0.0",
|
|
36
36
|
"debug": "^4.0.0",
|
|
@@ -70,7 +70,7 @@
|
|
|
70
70
|
"nock": "13.3.0",
|
|
71
71
|
"p-retry": "5.1.2",
|
|
72
72
|
"prettier": "2.8.7",
|
|
73
|
-
"sinon": "15.0.
|
|
73
|
+
"sinon": "15.0.4",
|
|
74
74
|
"stream-buffers": "3.0.2",
|
|
75
75
|
"tempy": "3.0.0",
|
|
76
76
|
"testdouble": "3.17.2"
|