Add npm provenance enable flag for production npm build

9ec7fd2e · Mateusz Tyszczak · 12db226c · 9ec7fd2e · 9ec7fd2e
Verified Commit 9ec7fd2e authored 6 months ago by Mateusz Tyszczak
--- a/scripts/bash/npm-helpers/npm_publish.sh
+++ b/scripts/bash/npm-helpers/npm_publish.sh
@@ -7,6 +7,9 @@ PROJECT_DIR="${1:?Missing arg #1 specifying a project source directory}"
 REGISTRY_URL="${2:?Missing arg #2 pointing an NPM registry URL}"
 SCOPE="${3:?Missing arg #3 pointing a package scope}"
 PUBLISH_TOKEN="${4:?Missing arg #4 pointing a deployment token}"
+NPM_PROVENANCE_ENABLE="${5:-0}"
+
+NPM_FLAGS="--access=public"

 echo> "${PROJECT_DIR}/.npmrc"

@@ -27,10 +30,16 @@ if [ "${VERSION}" = "" ]; then
  exit 1
 fi

+NPM_FLAGS="${NPM_FLAGS} --tag \"${PACKAGE_DIST_TAG}\""
+
 set +e

 echo "Attempting to verify presence of package: ${NAME}@${VERSION}, dist-tag: ${PACKAGE_DIST_TAG} in the registry: ${REGISTRY_URL}"

+if [ "${NPM_PROVENANCE_ENABLE}" -eq "1" ]; then
+  NPM_FLAGS="${NPM_FLAGS} --provenance"
+fi
+
 # Check if package with given version has been already published
 npm view "${NAME}@${VERSION}" version 2>/dev/null

@@ -40,7 +49,7 @@ else
  set -e
  echo "Publishing ${NAME}@${VERSION} to tag ${PACKAGE_DIST_TAG}"
  # We are going to repack the tarball as there are registry-dependent data in each job for package.json
-  npm publish --access=public --tag "${PACKAGE_DIST_TAG}"
+  npm publish $NPM_FLAGS
 fi

 popd
--- a/templates/npm_projects.gitlab-ci.yml
+++ b/templates/npm_projects.gitlab-ci.yml
@@ -3,7 +3,7 @@ include:

 variables:
  # uses registry.gitlab.syncad.com/hive/common-ci-configuration/emsdk:3.1.62-1
-  EMSCRIPTEN_IMAGE_TAG: "3.1.62-1@sha256:1bc4876054017a7199b821f251f7e7a5d694616310410b13816e7ecff2d648d4"
+  EMSCRIPTEN_IMAGE_TAG: "3.1.62-1@sha256:3dcca5c27df79c2fc4be44ff3bc14c8a35008137fb7857001e9f63285d12dd77"
  EMSCRIPTEN_IMAGE: "registry.gitlab.syncad.com/hive/common-ci-configuration/emsdk:$EMSCRIPTEN_IMAGE_TAG"

 .node_based_job_base:
@@ -199,12 +199,14 @@ variables:
    PACKAGE_TGZ_PATH: ""
    # registry.npmjs.org authentication token - it should be overrided by derived job
    NPM_PUBLISH_TOKEN: ""
+    # Should enable npm provenance signing
+    NPM_PROVENANCE_ENABLE: "0"

  script:
    # project version info must be regenerated accoring to correct target registry, package scope and name
    - /home/emscripten/scripts/npm_generate_version.sh "${SOURCE_DIR}" "registry.npmjs.org/" "@hiveio" "${NPM_PACKAGE_NAME}" "latest"
    - echo -e "\e[0Ksection_start:$(date +%s):publishing[collapsed=false]\r\e[0KAttempting to publish a package to registry.npmjs.org..."
-    - /home/emscripten/scripts/npm_publish.sh "${SOURCE_DIR}" "registry.npmjs.org/" "@hiveio" "${NPM_PUBLISH_TOKEN}"
+    - /home/emscripten/scripts/npm_publish.sh "${SOURCE_DIR}" "registry.npmjs.org/" "@hiveio" "${NPM_PUBLISH_TOKEN}" "${NPM_PROVENANCE_ENABLE}"
    - echo -e "\e[0Ksection_end:$(date +%s):publishing\r\e[0KDone"

  rules: