semantic-release 25.0.0-beta.9 → 25.0.1-alpha.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/docs/recipes/ci-configurations/github-actions.md +9 -5
  2. package/package.json +5 -4
package/docs/recipes/ci-configurations/github-actions.md CHANGED
@@ -6,10 +6,15 @@ The [Authentication](../../usage/ci-configuration.md#authentication) environment
6
6
 
7
7
  In this example a publish type [`NPM_TOKEN`](https://docs.npmjs.com/creating-and-viewing-authentication-tokens) is required to publish a package to the npm registry. GitHub Actions [automatically populate](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) a [`GITHUB_TOKEN`](https://help.github.com/en/articles/creating-a-personal-access-token-for-the-command-line) environment variable which can be used in Workflows.
8
8
 
9
- ## npm provenance
9
+ ## Trusted publishing and npm provenance
10
10
 
11
- Since GitHub Actions is a [supported provider](https://docs.npmjs.com/generating-provenance-statements#provenance-limitations) for [npm provenance](https://docs.npmjs.com/generating-provenance-statements), it is recommended to enable this to increase supply-chain security for your npm packages.
12
- Find more detail about configuring npm to publish with provenance through semantic-release [in the documentation for our npm plugin](https://github.com/semantic-release/npm#npm-provenance).
11
+ For improved security and automation, it is recommended to leverage [trusted publishing](https://docs.npmjs.com/trusted-publishers) through [OpenID Connect (OIDC)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect) when publishing to npm from GitHub Actions.
12
+ GitHub Actions is a [trusted identity provider](https://docs.npmjs.com/trusted-publishers#identity-providers) for npm, enabling configuration of a trust relationship between your GitHub repository and npm so that no long-lived secret (like an `NPM_TOKEN`) is required to publish packages to npm from GitHub Actions.
13
+ Enabling trusted publishing requires granting the `id-token: write` permission to the job performing the publish step and [configuring a trust relationship](https://docs.npmjs.com/trusted-publishers#step-1-add-a-trusted-publisher-on-npmjscom) between your GitHub repository and npm.
14
+
15
+ [npm provenance](https://docs.npmjs.com/generating-provenance-statements) is valuable for increasing supply-chain security for your npm packages.
16
+ Before trusted publishing was available, generating provenance attestations required configuring your project to enable publishing with provenance.
17
+ With trusted publishing, npm provenance is automatically generated for packages published to npm from GitHub Actions without any additional configuration.
13
18
 
14
19
  ## Node project configuration
15
20
 
@@ -40,7 +45,7 @@ jobs:
40
45
  contents: write # to be able to publish a GitHub release
41
46
  issues: write # to be able to comment on released issues
42
47
  pull-requests: write # to be able to comment on released pull requests
43
- id-token: write # to enable use of OIDC for npm provenance
48
+ id-token: write # to enable use of OIDC for trusted publishing and npm provenance
44
49
  steps:
45
50
  - name: Checkout
46
51
  uses: actions/checkout@v4
@@ -57,7 +62,6 @@ jobs:
57
62
  - name: Release
58
63
  env:
59
64
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
60
- NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
61
65
  run: npx semantic-release
62
66
  ```
63
67
 
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "semantic-release",
3
3
  "description": "Automated semver compliant package publishing",
4
- "version": "25.0.0-beta.9",
4
+ "version": "25.0.1-alpha.1",
5
5
  "type": "module",
6
6
  "author": "Stephan Bönnemann <stephan@boennemann.me> (http://boennemann.me)",
7
7
  "ava": {
@@ -27,10 +27,11 @@
27
27
  "Matt Travi <npm@travi.org> (https://matt.travi.org/)"
28
28
  ],
29
29
  "dependencies": {
30
- "@semantic-release/commit-analyzer": "^13.0.0-beta.1",
30
+ "@semantic-release/commit-analyzer": "^13.0.1",
31
31
  "@semantic-release/error": "^4.0.0",
32
- "@semantic-release/npm": "^13.0.0",
33
- "@semantic-release/release-notes-generator": "^14.0.0-beta.1",
32
+ "@semantic-release/github": "^12.0.0",
33
+ "@semantic-release/npm": "^13.1.0-alpha.5",
34
+ "@semantic-release/release-notes-generator": "^14.1.0",
34
35
  "aggregate-error": "^5.0.0",
35
36
  "cosmiconfig": "^9.0.0",
36
37
  "debug": "^4.0.0",