Skip to content

feat: enable provenance in trusted environments by default #7018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
GauBen wants to merge 4 commits into
base: master
Choose a base branch
from
Open

feat: enable provenance in trusted environments by default #7018

GauBen wants to merge 4 commits into from
+58 −2

Conversation

@GauBen
Copy link
Contributor

@GauBen GauBen commented Dec 15, 2025
edited
Loading

What's the problem this PR addresses?

Closes #7017

How did you fix it?

Set provenance = true when all necessary env vars are defined

Checklist

  • I have set the packages that need to be released for my changes to be effective.
  • I will check that all automated PR checks pass before the PR gets reviewed.

clemyan
clemyan reviewed Dec 17, 2025
View reviewed changes
packages/plugin-npm-cli/sources/commands/npm/publish.ts
Comment on lines 137 to 142
} else if (this.provenance) {
provenance = true;
provenanceMessage = `Generating provenance statement because \`--provenance\` flag is set.`;
} else if (configuration.get(`npmPublishProvenance`)) {
provenance = true;
provenanceMessage = `Generating provenance statement because \`npmPublishProvenance\` setting is set.`;
Copy link
Member

@clemyan clemyan Dec 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, if we are to enable provenance by default (even conditionally), we need to properly support --no-provenance and npmPublishProvenance: false to override that behaviour

@Drarig29
Copy link

Drarig29 commented Jan 15, 2026

Hi @GauBen @clemyan! Gentle bump on this PR. While reading https://docs.npmjs.com/trusted-publishers#automatic-provenance-generation we assumed we could drop the --provenance flag when migrating to OIDC publishing with Yarn as well, but it's only the case for NPM.

In the meantime, we are going to reintroduce the --provenance flag

@Drarig29 Drarig29 mentioned this pull request Jan 15, 2026
Merged
1 task
@arcanis
Copy link
Member

arcanis commented Jan 15, 2026
edited
Loading

I'm not certain we can do this - it's not documented well, but provenance publishing isn't possible from private repositories :/

https://github.blog/changelog/2023-07-25-publishing-with-npm-provenance-from-private-source-repositories-is-no-longer-supported/

Or at least we may need to replicate a check to make sure we don't apply this on private repo. How does npm do it?

@Drarig29
Copy link

Drarig29 commented Jan 15, 2026
edited
Loading

Just more code to copy/paste from NPM indeed, haha 😁

@GauBen
Copy link
Contributor Author

GauBen commented Jan 31, 2026

I implemented the easy part: a new --no-provenance flag to disable the automated generation

clemyan
clemyan reviewed Feb 10, 2026
View reviewed changes
Copy link
Member

@clemyan clemyan left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, this brings up something I didn't consider — provenance can be configured via npmPublishProvenance, publishConfig.provenance, and CLI option (--provenance). What should be the precedence between them?

Currently, it's publishConfig.provenance > CLI option > npmPublishProvenance. I think it makes sense since we don't have --no-provenance. But should we reevaluate that, now that we will?

wdyt @arcanis

packages/plugin-npm-cli/sources/commands/npm/publish.ts
Comment on lines +56 to 62
noProvenance = Option.Boolean(`--no-provenance`, false, {
description: `
Do not generate provenance for the package. This overrides any other provenance settings.

Set \`--no-provenance\` to enable OIDC without provenance (e.g. for private repositories).
`,
});
Copy link
Member

@clemyan clemyan Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As far as I understand, you can remove the default value from the --provenance flag. It would allow you to distinguish yarn npm publish, yarn npm publish --provenance, and yarn npm publish --no-provenance by this.provenance being undefined, true, and false respectively.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@clemyan clemyan clemyan left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Automatically enable provenance when under the right conditions

4 participants

@GauBen @Drarig29 @arcanis @clemyan