chore(*): Publish packages with npm provenance (clerk#1891)

LekoArts · web-flow · commit 3bf64107e1d0 · 2023-10-18T10:17:02.000Z
* chore(repo): Add provenance to .npmrc * chore(*): Add directory to "repository" key * chore(repo): Typo fix * chore(*): Use publishConfig instead * chore(repo): Add missing permissions * chore(*): Normalize repository.url * chore(repo): Try not to use provenance in verdaccio * chore(*): Use env var * chore(repo): Move env var around * Revert "chore(repo): Move env var around" This reverts commit 9ff9834. * chore(repo): Adjust npm scripts
diff --git a/.changeset/fast-planes-talk.md b/.changeset/fast-planes-talk.md
@@ -0,0 +1,18 @@
+---
+'gatsby-plugin-clerk': patch
+'@clerk/chrome-extension': patch
+'@clerk/localizations': patch
+'@clerk/clerk-js': patch
+'@clerk/clerk-sdk-node': patch
+'@clerk/backend': patch
+'@clerk/fastify': patch
+'@clerk/nextjs': patch
+'@clerk/shared': patch
+'@clerk/themes': patch
+'@clerk/clerk-react': patch
+'@clerk/remix': patch
+'@clerk/types': patch
+'@clerk/clerk-expo': patch
+---
+
+Publish packages with [npm provenance](https://docs.npmjs.com/generating-provenance-statements) enabled
diff --git a/.github/workflows/release-prod.yml b/.github/workflows/release-prod.yml
@@ -15,6 +15,9 @@ jobs:
     name: Release
     if: ${{ github.repository == 'clerkinc/javascript' }}
     runs-on: ${{ vars.RUNNER_LARGE }}
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Echo github context
         run: echo "$GITHUB_CONTEXT"
@@ -38,6 +41,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.CLERK_COOKIE_PAT }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - name: Trigger workflows on related repos
         if: steps.changesets.outputs.published == 'true'
diff --git a/.github/workflows/release-snapshot.yml b/.github/workflows/release-snapshot.yml
@@ -16,6 +16,9 @@ jobs:
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ vars.TURBO_TEAM }}
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Limit action to Clerk members
         uses: actions/github-script@v6
@@ -62,6 +65,7 @@ jobs:
         run: npm run release:snapshot
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - name: Package info
         if: steps.version-packages.outputs.success == '1'
diff --git a/.github/workflows/release-staging.yml b/.github/workflows/release-staging.yml
@@ -18,6 +18,9 @@ jobs:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ vars.TURBO_TEAM }}
       TURBO_REMOTE_ONLY: true
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout repo
         uses: actions/checkout@v3
@@ -34,6 +37,7 @@ jobs:
         run: npm run release:staging
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
 
       - name: Trigger workflows on related repos
         uses: actions/github-script@v6
diff --git a/commitlint.config.js b/commitlint.config.js
@@ -17,6 +17,6 @@ module.exports = {
     'subject-case': [2, 'always', ['sentence-case']],
     'body-max-line-length': [1, 'always', '150'],
     'scope-empty': [2, 'never'],
-    'scope-enum': [2, 'always', [...getPackageNames(), 'repo', 'release']],
+    'scope-enum': [2, 'always', [...getPackageNames(), 'repo', 'release', '*']],
   },
 };
diff --git a/package.json b/package.json
@@ -78,20 +78,20 @@
     "lint:attw": "FORCE_COLOR=1 turbo lint:attw",
     "lint:fix": "FORCE_COLOR=1 turbo lint -- --fix",
     "bundlewatch": "turbo bundlewatch",
-    "format": "npx prettier --write .",
-    "format:check": "npx prettier --cache --check .",
+    "format": "prettier --write .",
+    "format:check": "prettier --cache --check .",
     "nuke": "./scripts/nuke.sh",
     "yalc:all": "for d in packages/*/; do echo $d; cd $d; yalc push --replace --sig; cd '../../'; done",
     "prepare": "husky install",
-    "changeset": "npx changeset",
+    "changeset": "changeset",
     "changeset:empty": "npm run changeset -- --empty",
-    "version": "npx changeset version && ./scripts/version-info.sh",
+    "version": "changeset version && ./scripts/version-info.sh",
     "version:snapshot": "./scripts/snapshot.mjs",
     "version:staging": "./scripts/staging.mjs",
-    "release": "FORCE_COLOR=1 npm run build -- --force && npx changeset publish && git push --follow-tags",
-    "release:snapshot": "FORCE_COLOR=1 npm run build && npx changeset publish --tag snapshot --no-git-tag",
-    "release:staging": "FORCE_COLOR=1 npm run build && npx changeset publish --tag staging --no-git-tag",
-    "release:verdaccio": "if [ \"$(npm config get registry)\" = \"https://registry.npmjs.org/\" ]; then echo 'Error: Using default registry' && exit 1; else TURBO_CONCURRENCY=4 npm run build && npx changeset publish --no-git-tag; fi",
+    "release": "FORCE_COLOR=1 npm run build -- --force && changeset publish && git push --follow-tags",
+    "release:snapshot": "FORCE_COLOR=1 npm run build && changeset publish --tag snapshot --no-git-tag",
+    "release:staging": "FORCE_COLOR=1 npm run build && changeset publish --tag staging --no-git-tag",
+    "release:verdaccio": "if [ \"$(npm config get registry)\" = \"https://registry.npmjs.org/\" ]; then echo 'Error: Using default registry' && exit 1; else TURBO_CONCURRENCY=4 npm run build && changeset publish --no-git-tag; fi",
     "update:lockfile": "npm run nuke && npm install -D --arch=x64 --platform=linux turbo && npm install -D --arch=arm64 --platform=darwin turbo"
   }
 }
diff --git a/packages/backend/package.json b/packages/backend/package.json
@@ -80,7 +80,8 @@
   "homepage": "https://clerk.com/",
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/backend"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/chrome-extension/package.json b/packages/chrome-extension/package.json
@@ -53,7 +53,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/chrome-extension"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/clerk-js/package.json b/packages/clerk-js/package.json
@@ -93,7 +93,8 @@
   "browserslist": "last 2 versions, ios_saf > 12, Safari > 12, > 1%, not dead, not ie > 0",
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/clerk-js"
   },
   "homepage": "https://clerk.com/",
   "bugs": {
diff --git a/packages/expo/package.json b/packages/expo/package.json
@@ -60,7 +60,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/expo"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/fastify/package.json b/packages/fastify/package.json
@@ -50,7 +50,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/fastify"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/gatsby-plugin-clerk/package.json b/packages/gatsby-plugin-clerk/package.json
@@ -59,7 +59,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/gatsby-plugin-clerk"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/localizations/package.json b/packages/localizations/package.json
@@ -45,7 +45,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/localizations"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/nextjs/package.json b/packages/nextjs/package.json
@@ -106,7 +106,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/nextjs"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/react/package.json b/packages/react/package.json
@@ -67,7 +67,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/react"
   },
   "homepage": "https://clerk.com/",
   "bugs": {
diff --git a/packages/remix/package.json b/packages/remix/package.json
@@ -90,7 +90,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/remix"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/sdk-node/package.json b/packages/sdk-node/package.json
@@ -50,7 +50,7 @@
   "author": {
     "name": "Clerk, Inc.",
     "email": "support@clerk.com",
-    "url": "https://github.com/clerkinc/clerk-sdk-node"
+    "url": "git+https://github.com/clerkinc/javascript.git"
   },
   "devDependencies": {
     "nock": "^13.0.7",
@@ -73,7 +73,8 @@
   "description": "Clerk server SDK for usage with node",
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/sdk-node"
   },
   "keywords": [
     "clerk",
diff --git a/packages/shared/package.json b/packages/shared/package.json
@@ -54,5 +54,10 @@
   "license": "MIT",
   "publishConfig": {
     "access": "public"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/shared"
   }
 }
diff --git a/packages/themes/package.json b/packages/themes/package.json
@@ -42,7 +42,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/themes"
   },
   "bugs": {
     "url": "https://github.com/clerkinc/javascript/issues"
diff --git a/packages/types/package.json b/packages/types/package.json
@@ -39,7 +39,8 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/clerkinc/javascript.git"
+    "url": "git+https://github.com/clerkinc/javascript.git",
+    "directory": "packages/types"
   },
   "homepage": "https://clerk.com/",
   "bugs": {

Original file line number	Diff line number	Diff line change
`@@ -54,5 +54,10 @@`
`54`	`54`	`"license": "MIT",`
`55`	`55`	`"publishConfig": {`
`56`	`56`	`"access": "public"`
	`57`	`+ },`
	`58`	`+ "repository": {`
	`59`	`+ "type": "git",`
	`60`	`+ "url": "git+https://github.com/clerkinc/javascript.git",`
	`61`	`+ "directory": "packages/shared"`
`57`	`62`	`}`
`58`	`63`	`}`