From 5a85d8089a56dd7b85faf56f4ee31741a3832a22 Mon Sep 17 00:00:00 2001
From: saibotk <git@saibotk.de>
Date: Tue, 12 Mar 2024 15:32:15 +0100
Subject: [PATCH] CI: Add provenance to publised packages (#3023)

This commit adds provenance for all published packages. See the NPM documentation [0].

Provenance will allow people to verify that the headlessui packages were actually built on GH Actions and with the content of the corresponding commit. This will help with supply chain security.

For this to work, the `id-token` permission was added only where necessary.

[0]: https://docs.npmjs.com/generating-provenance-statements
---
 .github/workflows/release-insiders.yml | 6 +++++-
 .github/workflows/release.yml          | 3 ++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-insiders.yml b/.github/workflows/release-insiders.yml
index 1aff11f8f7..c5ecb2f014 100644
--- a/.github/workflows/release-insiders.yml
+++ b/.github/workflows/release-insiders.yml
@@ -8,6 +8,10 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -53,7 +57,7 @@ jobs:
         run: npm version -w packages 0.0.0-insiders.${{ steps.vars.outputs.sha_short }} --force --no-git-tag-version
 
       - name: Publish
-        run: npm publish -w packages --tag insiders
+        run: npm publish -w packages --provenance --tag insiders
         env:
           CI: true
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 28977037f5..97e7dfff46 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,7 @@ concurrency:
 
 permissions:
   contents: read
+  id-token: write
 
 env:
   CI: true
@@ -58,6 +59,6 @@ jobs:
           echo "PACKAGE_PATH=$(npm run package-path $TAG_NAME --silent)" >> $GITHUB_ENV
 
       - name: Publish
-        run: npm publish ${{ env.PACKAGE_PATH }} --tag ${{ env.RELEASE_CHANNEL }}
+        run: npm publish ${{ env.PACKAGE_PATH }} --provenance --tag ${{ env.RELEASE_CHANNEL }}
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}