From d86fd0bb5b69c9aa5c75d4e78f8fe78969d6ff50 Mon Sep 17 00:00:00 2001 From: saibotk Date: Thu, 7 Mar 2024 21:32:58 +0100 Subject: [PATCH] CI: Add provenance to all published packages (#13097) * CI: Add provenance to all published packages This commit adds provenance for all published packages. See the NPM documentation [0]. Provenance will allow people to verify that the tailwindcss packages were actually built on GH Actions and with the content of the corresponding commit. This will help with supply chain security. For this to work, the `id-token` permission was added only where necessary. [0]: https://docs.npmjs.com/generating-provenance-statements * chore: Add missing repository links to packages This is needed for provenance, to link the repository to the build accoring to the NPM docs [0]. [0]: https://docs.npmjs.com/generating-provenance-statements#prerequisites --- .github/workflows/release-insiders-oxide.yml | 12 +++++++++--- .github/workflows/release-insiders-stable.yml | 3 ++- .github/workflows/release-oxide.yml | 12 +++++++++--- .github/workflows/release-stable.yml | 3 ++- oxide/crates/node/npm/darwin-arm64/package.json | 7 ++++++- oxide/crates/node/npm/darwin-x64/package.json | 7 ++++++- oxide/crates/node/npm/freebsd-x64/package.json | 7 ++++++- .../crates/node/npm/linux-arm-gnueabihf/package.json | 7 ++++++- oxide/crates/node/npm/linux-arm64-gnu/package.json | 7 ++++++- oxide/crates/node/npm/linux-arm64-musl/package.json | 7 ++++++- oxide/crates/node/npm/linux-x64-gnu/package.json | 7 ++++++- oxide/crates/node/npm/linux-x64-musl/package.json | 7 ++++++- oxide/crates/node/npm/win32-x64-msvc/package.json | 7 ++++++- oxide/crates/node/package.json | 5 +++++ standalone-cli/package.json | 5 +++++ 15 files changed, 86 insertions(+), 17 deletions(-) diff --git a/.github/workflows/release-insiders-oxide.yml b/.github/workflows/release-insiders-oxide.yml index 5ddab368c771..3afe4e7908ac 100644 --- a/.github/workflows/release-insiders-oxide.yml +++ b/.github/workflows/release-insiders-oxide.yml @@ -269,6 +269,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 name: Build and release + permissions: + contents: read + id-token: write needs: - build - build-linux @@ -343,7 +346,7 @@ jobs: echo "Publishing $pkg..." cd $pkg npm version ${{ env.NPM_VERSION }} --force --no-git-tag-version - npm publish --tag ${{ env.RELEASE_CHANNEL }} --access public + npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }} --access public cd - done @@ -352,7 +355,7 @@ jobs: npm version ${{ env.NPM_VERSION }} --force --no-git-tag-version sed "s#\"0.0.0\"#\"${{ env.NPM_VERSION }}\"#g" package.json > package_updated.json mv package_updated.json package.json - npm publish --tag ${{ env.RELEASE_CHANNEL }} --access public + npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }} --access public cd - env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} @@ -361,6 +364,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 name: Build and release Tailwind CSS + permissions: + contents: read + id-token: write needs: - release @@ -401,7 +407,7 @@ jobs: run: npm version 0.0.0-${{ env.RELEASE_CHANNEL }}.${{ env.SHA_SHORT }} --force --no-git-tag-version - name: Publish - run: npm publish --tag ${{ env.RELEASE_CHANNEL }} + run: npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release-insiders-stable.yml b/.github/workflows/release-insiders-stable.yml index f8bb322d412f..d35ad265b697 100644 --- a/.github/workflows/release-insiders-stable.yml +++ b/.github/workflows/release-insiders-stable.yml @@ -6,6 +6,7 @@ on: permissions: contents: read + id-token: write env: CI: true @@ -58,7 +59,7 @@ jobs: run: npm version 0.0.0-${{ env.RELEASE_CHANNEL }}.${{ env.SHA_SHORT }} --force --no-git-tag-version - name: Publish - run: npm publish --tag ${{ env.RELEASE_CHANNEL }} + run: npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release-oxide.yml b/.github/workflows/release-oxide.yml index 0adb204b37af..63ca6c3a1be2 100644 --- a/.github/workflows/release-oxide.yml +++ b/.github/workflows/release-oxide.yml @@ -218,6 +218,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 name: Build and release + permissions: + contents: read + id-token: write needs: - oxide-build - oxide-build-linux @@ -273,7 +276,7 @@ jobs: echo "Publishing $pkg..." cd $pkg npm version ${{ env.NPM_VERSION }} --force --no-git-tag-version - npm publish --tag insiders --access public + npm publish --provenance --tag insiders --access public cd - done @@ -282,7 +285,7 @@ jobs: npm version ${{ env.NPM_VERSION }} --force --no-git-tag-version sed "s#\"0.0.0\"#\"${{ env.NPM_VERSION }}\"#g" package.json > package_updated.json mv package_updated.json package.json - npm publish --tag insiders --access public + npm publish --provenance --tag insiders --access public cd - env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} @@ -291,6 +294,9 @@ jobs: runs-on: ubuntu-latest timeout-minutes: 15 name: Build and release Tailwind CSS + permissions: + contents: read + id-token: write needs: - oxide-release @@ -332,6 +338,6 @@ jobs: run: npm version 0.0.0-oxide.${{ env.SHA_SHORT }} --force --no-git-tag-version - name: Publish - run: npm publish --tag oxide + run: npm publish --provenance --tag oxide env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/.github/workflows/release-stable.yml b/.github/workflows/release-stable.yml index 23a3f2dc0d7c..5c2dde17044e 100644 --- a/.github/workflows/release-stable.yml +++ b/.github/workflows/release-stable.yml @@ -6,6 +6,7 @@ on: permissions: contents: read + id-token: write env: CI: true @@ -47,7 +48,7 @@ jobs: echo "TAILWINDCSS_VERSION=$(node -e 'console.log(require(`./package.json`).version);')" >> $GITHUB_ENV - name: Publish - run: npm publish --tag ${{ env.RELEASE_CHANNEL }} + run: npm publish --provenance --tag ${{ env.RELEASE_CHANNEL }} env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/oxide/crates/node/npm/darwin-arm64/package.json b/oxide/crates/node/npm/darwin-arm64/package.json index 40b814b217eb..a7b71d9c2f16 100644 --- a/oxide/crates/node/npm/darwin-arm64/package.json +++ b/oxide/crates/node/npm/darwin-arm64/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-darwin-arm64", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/darwin-arm64" + }, "os": [ "darwin" ], @@ -15,4 +20,4 @@ "engines": { "node": ">= 10" } -} \ No newline at end of file +} diff --git a/oxide/crates/node/npm/darwin-x64/package.json b/oxide/crates/node/npm/darwin-x64/package.json index bdb305a42273..b1b2811ee4f9 100644 --- a/oxide/crates/node/npm/darwin-x64/package.json +++ b/oxide/crates/node/npm/darwin-x64/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-darwin-x64", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/darwin-x64" + }, "os": [ "darwin" ], @@ -15,4 +20,4 @@ "engines": { "node": ">= 10" } -} \ No newline at end of file +} diff --git a/oxide/crates/node/npm/freebsd-x64/package.json b/oxide/crates/node/npm/freebsd-x64/package.json index 77d5a87866cf..8a2b2e4ad7a2 100644 --- a/oxide/crates/node/npm/freebsd-x64/package.json +++ b/oxide/crates/node/npm/freebsd-x64/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-freebsd-x64", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/freebsd-x64" + }, "os": [ "freebsd" ], @@ -15,4 +20,4 @@ "engines": { "node": ">= 10" } -} \ No newline at end of file +} diff --git a/oxide/crates/node/npm/linux-arm-gnueabihf/package.json b/oxide/crates/node/npm/linux-arm-gnueabihf/package.json index f0d06e549280..db2c73826589 100644 --- a/oxide/crates/node/npm/linux-arm-gnueabihf/package.json +++ b/oxide/crates/node/npm/linux-arm-gnueabihf/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-linux-arm-gnueabihf", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/linux-arm-gnueabihf" + }, "os": [ "linux" ], @@ -15,4 +20,4 @@ "engines": { "node": ">= 10" } -} \ No newline at end of file +} diff --git a/oxide/crates/node/npm/linux-arm64-gnu/package.json b/oxide/crates/node/npm/linux-arm64-gnu/package.json index 2a89c4e43092..7e159b5fa209 100644 --- a/oxide/crates/node/npm/linux-arm64-gnu/package.json +++ b/oxide/crates/node/npm/linux-arm64-gnu/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-linux-arm64-gnu", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/linux-arm64-gnu" + }, "os": [ "linux" ], @@ -18,4 +23,4 @@ "libc": [ "glibc" ] -} \ No newline at end of file +} diff --git a/oxide/crates/node/npm/linux-arm64-musl/package.json b/oxide/crates/node/npm/linux-arm64-musl/package.json index cf1f7521545e..4313ee6a0f8b 100644 --- a/oxide/crates/node/npm/linux-arm64-musl/package.json +++ b/oxide/crates/node/npm/linux-arm64-musl/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-linux-arm64-musl", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/linux-arm64-musl" + }, "os": [ "linux" ], @@ -18,4 +23,4 @@ "libc": [ "musl" ] -} \ No newline at end of file +} diff --git a/oxide/crates/node/npm/linux-x64-gnu/package.json b/oxide/crates/node/npm/linux-x64-gnu/package.json index a5e0c4e370c4..4147d2cbab91 100644 --- a/oxide/crates/node/npm/linux-x64-gnu/package.json +++ b/oxide/crates/node/npm/linux-x64-gnu/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-linux-x64-gnu", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/linux-x64-gnu" + }, "os": [ "linux" ], @@ -18,4 +23,4 @@ "libc": [ "glibc" ] -} \ No newline at end of file +} diff --git a/oxide/crates/node/npm/linux-x64-musl/package.json b/oxide/crates/node/npm/linux-x64-musl/package.json index c913ee2cf7f5..bba359d3df81 100644 --- a/oxide/crates/node/npm/linux-x64-musl/package.json +++ b/oxide/crates/node/npm/linux-x64-musl/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-linux-x64-musl", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/linux-x64-musl" + }, "os": [ "linux" ], @@ -18,4 +23,4 @@ "libc": [ "musl" ] -} \ No newline at end of file +} diff --git a/oxide/crates/node/npm/win32-x64-msvc/package.json b/oxide/crates/node/npm/win32-x64-msvc/package.json index 12d260ae7e12..3a61a0bb7230 100644 --- a/oxide/crates/node/npm/win32-x64-msvc/package.json +++ b/oxide/crates/node/npm/win32-x64-msvc/package.json @@ -1,6 +1,11 @@ { "name": "@tailwindcss/oxide-win32-x64-msvc", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node/npm/win32-x64-msvc" + }, "os": [ "win32" ], @@ -15,4 +20,4 @@ "engines": { "node": ">= 10" } -} \ No newline at end of file +} diff --git a/oxide/crates/node/package.json b/oxide/crates/node/package.json index f9841b69f648..07cbf6d6eca1 100644 --- a/oxide/crates/node/package.json +++ b/oxide/crates/node/package.json @@ -18,6 +18,11 @@ } }, "license": "MIT", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "oxide/crates/node" + }, "devDependencies": { "@napi-rs/cli": "^2.15.2" }, diff --git a/standalone-cli/package.json b/standalone-cli/package.json index c3591d4a28a8..9cd652ae3593 100644 --- a/standalone-cli/package.json +++ b/standalone-cli/package.json @@ -1,6 +1,11 @@ { "name": "tailwindcss-standalone", "version": "0.0.0", + "repository": { + "type": "git", + "url": "git+https://github.com/tailwindlabs/tailwindcss.git", + "directory": "standalone-cli" + }, "bin": "standalone.js", "scripts": { "build": "pkg . --compress Brotli --no-bytecode --public-packages \"*\" --public",