Skip to content

Commit

Permalink
CI: Add provenance to all published packages (#13097)
Browse files Browse the repository at this point in the history 
* CI: Add provenance to all published packages

This commit adds provenance for all published packages. See the NPM documentation [0].

Provenance will allow people to verify that the tailwindcss packages were actually built on GH Actions and with the content of the corresponding commit. This will help with supply chain security.

For this to work, the `id-token` permission was added only where necessary.

[0]: https://docs.npmjs.com/generating-provenance-statements

* chore: Add missing repository links to packages

This is needed for provenance, to link the repository to the build accoring to the NPM docs [0].

[0]: https://docs.npmjs.com/generating-provenance-statements#prerequisites
  • Loading branch information
@saibotk
saibotk committed Mar 7, 2024
1 parent de00a62 commit d86fd0b
Show file tree
Hide file tree
Showing 15 changed files with 86 additions and 17 deletions.
12 changes: 9 additions & 3 deletions .github/workflows/release-insiders-oxide.yml
View file
Expand Up @@ -269,6 +269,9 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
name: Build and release
permissions:
contents: read
id-token: write
needs:
- build
- build-linux
Expand Down Expand Up @@ -343,7 +346,7 @@ jobs:
echo "Publishing $pkg..."
cd $pkg
npm version ${{ env.NPM_VERSION }} --force --no-git-tag-version
npm publish --tag ${{ env.RELEASE_CHANNEL }} --access public
npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }} --access public
cd -
done

Expand All @@ -352,7 +355,7 @@ jobs:
npm version ${{ env.NPM_VERSION }} --force --no-git-tag-version
sed "s#\"0.0.0\"#\"${{ env.NPM_VERSION }}\"#g" package.json > package_updated.json
mv package_updated.json package.json
npm publish --tag ${{ env.RELEASE_CHANNEL }} --access public
npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }} --access public
cd -
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Expand All @@ -361,6 +364,9 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
name: Build and release Tailwind CSS
permissions:
contents: read
id-token: write

needs:
- release
Expand Down Expand Up @@ -401,7 +407,7 @@ jobs:
run: npm version 0.0.0-${{ env.RELEASE_CHANNEL }}.${{ env.SHA_SHORT }} --force --no-git-tag-version

- name: Publish
run: npm publish --tag ${{ env.RELEASE_CHANNEL }}
run: npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Expand Down
3 changes: 2 additions & 1 deletion .github/workflows/release-insiders-stable.yml
View file
Expand Up @@ -6,6 +6,7 @@ on:

permissions:
contents: read
id-token: write

env:
CI: true
Expand Down Expand Up @@ -58,7 +59,7 @@ jobs:
run: npm version 0.0.0-${{ env.RELEASE_CHANNEL }}.${{ env.SHA_SHORT }} --force --no-git-tag-version

- name: Publish
run: npm publish --tag ${{ env.RELEASE_CHANNEL }}
run: npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/release-oxide.yml
View file
Expand Up @@ -218,6 +218,9 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
name: Build and release
permissions:
contents: read
id-token: write
needs:
- oxide-build
- oxide-build-linux
Expand Down Expand Up @@ -273,7 +276,7 @@ jobs:
echo "Publishing $pkg..."
cd $pkg
npm version ${{ env.NPM_VERSION }} --force --no-git-tag-version
npm publish --tag insiders --access public
npm publish --provenance --tag insiders --access public
cd -
done

Expand All @@ -282,7 +285,7 @@ jobs:
npm version ${{ env.NPM_VERSION }} --force --no-git-tag-version
sed "s#\"0.0.0\"#\"${{ env.NPM_VERSION }}\"#g" package.json > package_updated.json
mv package_updated.json package.json
npm publish --tag insiders --access public
npm publish --provenance --tag insiders --access public
cd -
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Expand All @@ -291,6 +294,9 @@ jobs:
runs-on: ubuntu-latest
timeout-minutes: 15
name: Build and release Tailwind CSS
permissions:
contents: read
id-token: write

needs:
- oxide-release
Expand Down Expand Up @@ -332,6 +338,6 @@ jobs:
run: npm version 0.0.0-oxide.${{ env.SHA_SHORT }} --force --no-git-tag-version

- name: Publish
run: npm publish --tag oxide
run: npm publish --provenance --tag oxide
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
3 changes: 2 additions & 1 deletion .github/workflows/release-stable.yml
View file
Expand Up @@ -6,6 +6,7 @@ on:

permissions:
contents: read
id-token: write

env:
CI: true
Expand Down Expand Up @@ -47,7 +48,7 @@ jobs:
echo "TAILWINDCSS_VERSION=$(node -e 'console.log(require(`./package.json`).version);')" >> $GITHUB_ENV

- name: Publish
run: npm publish --tag ${{ env.RELEASE_CHANNEL }}
run: npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }}
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Expand Down
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/darwin-arm64/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-darwin-arm64",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/darwin-arm64"
},
"os": [
"darwin"
],
Expand All @@ -15,4 +20,4 @@
"engines": {
"node": ">= 10"
}
}
}
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/darwin-x64/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-darwin-x64",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/darwin-x64"
},
"os": [
"darwin"
],
Expand All @@ -15,4 +20,4 @@
"engines": {
"node": ">= 10"
}
}
}
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/freebsd-x64/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-freebsd-x64",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/freebsd-x64"
},
"os": [
"freebsd"
],
Expand All @@ -15,4 +20,4 @@
"engines": {
"node": ">= 10"
}
}
}
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/linux-arm-gnueabihf/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-linux-arm-gnueabihf",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/linux-arm-gnueabihf"
},
"os": [
"linux"
],
Expand All @@ -15,4 +20,4 @@
"engines": {
"node": ">= 10"
}
}
}
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/linux-arm64-gnu/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-linux-arm64-gnu",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/linux-arm64-gnu"
},
"os": [
"linux"
],
Expand All @@ -18,4 +23,4 @@
"libc": [
"glibc"
]
}
}
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/linux-arm64-musl/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-linux-arm64-musl",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/linux-arm64-musl"
},
"os": [
"linux"
],
Expand All @@ -18,4 +23,4 @@
"libc": [
"musl"
]
}
}
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/linux-x64-gnu/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-linux-x64-gnu",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/linux-x64-gnu"
},
"os": [
"linux"
],
Expand All @@ -18,4 +23,4 @@
"libc": [
"glibc"
]
}
}
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/linux-x64-musl/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-linux-x64-musl",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/linux-x64-musl"
},
"os": [
"linux"
],
Expand All @@ -18,4 +23,4 @@
"libc": [
"musl"
]
}
}
7 changes: 6 additions & 1 deletion oxide/crates/node/npm/win32-x64-msvc/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "@tailwindcss/oxide-win32-x64-msvc",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node/npm/win32-x64-msvc"
},
"os": [
"win32"
],
Expand All @@ -15,4 +20,4 @@
"engines": {
"node": ">= 10"
}
}
}
5 changes: 5 additions & 0 deletions oxide/crates/node/package.json
View file
Expand Up @@ -18,6 +18,11 @@
}
},
"license": "MIT",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "oxide/crates/node"
},
"devDependencies": {
"@napi-rs/cli": "^2.15.2"
},
Expand Down
5 changes: 5 additions & 0 deletions standalone-cli/package.json
View file
@@ -1,6 +1,11 @@
{
"name": "tailwindcss-standalone",
"version": "0.0.0",
"repository": {
"type": "git",
"url": "git+https://github.com/tailwindlabs/tailwindcss.git",
"directory": "standalone-cli"
},
"bin": "standalone.js",
"scripts": {
"build": "pkg . --compress Brotli --no-bytecode --public-packages \"*\" --public",
Expand Down

0 comments on commit d86fd0b

Please sign in to comment.