chore: adds npm provenance feature (#63)

jwndlng · web-flow · commit dd05b2da87c4 · 2025-10-28T11:13:38.000+01:00
* chore: adds npm provenance feature

* chore: removes blank line

* chore: update comments

* chore: update comments

* chore: update prettier changes
diff --git a/actions/npm-publish/README.md b/actions/npm-publish/README.md
@@ -1,14 +1,15 @@
 # NPM publish
 
-This action publishes a package to the npm registry. It assumes that `npm` and `pnpm` is already setup, see the [setup PNPM action](../setup-pnpm/README.md) for a ready to use action to do this.
+This action publishes a package to the npm registry. It assumes that `npm` and `pnpm` is already setup, see the [setup PNPM action](../setup-pnpm/README.md) for a ready to use action to do this. Starting from npm version 11.5.1, OIDC is supported.
 
 ## Action inputs
 
-| Input             | Description                                                           | Default    |
-| ----------------- | --------------------------------------------------------------------- | ---------- |
-| `token`           | The npm token to authenticate with the npm registry.                  | _required_ |
-| `is_beta`         | Publish the package as a beta version. Expects a stringified boolean. | `'false'`  |
-| `package_manager` | The package manager to use for publishing.                            | `'npm'`    |
+| Input               | Description.                                                                  | Default   |
+| ------------------- | ----------------------------------------------------------------------------- | --------- |
+| `token`             | The npm token to authenticate with the npm registry.                          | `''`      |
+| `is_beta`           | Publish the package as a beta version. Expects a stringified boolean.         | `'false'` |
+| `package_manager`   | The package manager to use for publishing.                                    | `'npm'`   |
+| `enable_provenance` | Enable the generation and publication of NPM's package provenance statements. | `'true'`  |
 
 ## Action outputs
 
diff --git a/actions/npm-publish/action.yaml b/actions/npm-publish/action.yaml
@@ -13,6 +13,10 @@ inputs:
     description: 'The package manager to use for publishing.'
     required: false
     default: 'npm'
+  enable_provenance:
+    description: "Enable the generation and publication of NPM's package provenance statements."
+    required: false
+    default: 'true'
 
 outputs:
   artifact_filepath:
@@ -27,6 +31,7 @@ runs:
       env:
         NODE_AUTH_TOKEN: ${{ inputs.token }}
         IS_BETA: ${{ inputs.is_beta }}
+        NPM_CONFIG_PROVENANCE: ${{ inputs.enable_provenance }}
       shell: bash
       run: |
         artifact_filepath=$(pwd)/$(${{ inputs.package_manager }} pack --json | jq -r '.[0].filename')
