Setup trusted publishers and provenance (#7867)

cometkim · web-flow · commit 34d78c4e0447 · 2025-09-11T05:26:56.000+09:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -674,6 +674,8 @@ jobs:
         shell: bash
 
   publish:
+    permissions:
+      id-token: write
     needs:
       - test-installation-npm
       - test-installation-pnpm
@@ -701,11 +703,9 @@ jobs:
         shell: bash
 
       - name: Publish packages on npm with tag "ci"
-        env:
-          YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
         run: |
           yarn workspaces foreach -W --no-private \
-            npm publish --tolerate-republish --tag ci
+            npm publish --provenance --tolerate-republish --tag ci
 
       - name: Update Website Playground
         run: curl -X POST "${{ secrets.CLOUDFLARE_PAGES_DEPLOYMENT_HOOK }}"
diff --git a/package.json b/package.json
@@ -34,6 +34,10 @@
     "Paul Tsnobiladzé (https://github.com/tsnobip)",
     "Woonki Moon (https://github.com/mununki)"
   ],
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
+  },
   "engines": {
     "node": ">=20.11.0"
   },
diff --git a/packages/@rescript/darwin-arm64/package.json b/packages/@rescript/darwin-arm64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
diff --git a/packages/@rescript/darwin-x64/package.json b/packages/@rescript/darwin-x64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
diff --git a/packages/@rescript/linux-arm64/package.json b/packages/@rescript/linux-arm64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
diff --git a/packages/@rescript/linux-x64/package.json b/packages/@rescript/linux-x64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
diff --git a/packages/@rescript/runtime/package.json b/packages/@rescript/runtime/package.json
@@ -27,7 +27,8 @@
     "Woonki Moon (https://github.com/mununki)"
   ],
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "files": [
     "lib"
diff --git a/packages/@rescript/win32-x64/package.json b/packages/@rescript/win32-x64/package.json
@@ -28,6 +28,7 @@
   ],
   "publishConfig": {
     "access": "public",
+    "provenance": true,
     "executableFiles": [
       "./bin/bsb_helper.exe",
       "./bin/bsc.exe",
