mirror of
https://github.com/denoland/deno.git
synced 2024-11-21 15:04:11 -05:00
feat(publish): enable package provenance by default on github actions (#22635)
This commit is contained in:
parent
ab71733469
commit
9ffc34c159
4 changed files with 21 additions and 32 deletions
|
@ -302,7 +302,7 @@ pub struct PublishFlags {
|
|||
pub token: Option<String>,
|
||||
pub dry_run: bool,
|
||||
pub allow_slow_types: bool,
|
||||
pub provenance: bool,
|
||||
pub no_provenance: bool,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, Eq, PartialEq)]
|
||||
|
@ -2404,9 +2404,9 @@ fn publish_subcommand() -> Command {
|
|||
.action(ArgAction::SetTrue),
|
||||
)
|
||||
.arg(
|
||||
Arg::new("provenance")
|
||||
.long("provenance")
|
||||
.help("From CI/CD system, publicly links the package to where it was built and published from.")
|
||||
Arg::new("no-provenance")
|
||||
.long("no-provenance")
|
||||
.help("Disable provenance attestation. Enabled by default on Github actions, publicly links the package to where it was built and published from.")
|
||||
.action(ArgAction::SetTrue)
|
||||
)
|
||||
.arg(check_arg(/* type checks by default */ true))
|
||||
|
@ -3860,7 +3860,7 @@ fn publish_parse(flags: &mut Flags, matches: &mut ArgMatches) {
|
|||
token: matches.remove_one("token"),
|
||||
dry_run: matches.get_flag("dry-run"),
|
||||
allow_slow_types: matches.get_flag("allow-slow-types"),
|
||||
provenance: matches.get_flag("provenance"),
|
||||
no_provenance: matches.get_flag("no-provenance"),
|
||||
});
|
||||
}
|
||||
|
||||
|
@ -8580,6 +8580,7 @@ mod tests {
|
|||
let r = flags_from_vec(svec![
|
||||
"deno",
|
||||
"publish",
|
||||
"--no-provenance",
|
||||
"--dry-run",
|
||||
"--allow-slow-types",
|
||||
"--token=asdf",
|
||||
|
@ -8591,26 +8592,7 @@ mod tests {
|
|||
token: Some("asdf".to_string()),
|
||||
dry_run: true,
|
||||
allow_slow_types: true,
|
||||
provenance: false,
|
||||
}),
|
||||
type_check_mode: TypeCheckMode::Local,
|
||||
..Flags::default()
|
||||
}
|
||||
);
|
||||
}
|
||||
|
||||
#[test]
|
||||
fn publish_provenance_args() {
|
||||
let r =
|
||||
flags_from_vec(svec!["deno", "publish", "--provenance", "--token=asdf",]);
|
||||
assert_eq!(
|
||||
r.unwrap(),
|
||||
Flags {
|
||||
subcommand: DenoSubcommand::Publish(PublishFlags {
|
||||
token: Some("asdf".to_string()),
|
||||
dry_run: false,
|
||||
allow_slow_types: false,
|
||||
provenance: true,
|
||||
no_provenance: true,
|
||||
}),
|
||||
type_check_mode: TypeCheckMode::Local,
|
||||
..Flags::default()
|
||||
|
|
|
@ -470,7 +470,7 @@ async fn perform_publish(
|
|||
mut publish_order_graph: PublishOrderGraph,
|
||||
mut prepared_package_by_name: HashMap<String, Rc<PreparedPublishPackage>>,
|
||||
auth_method: AuthMethod,
|
||||
provenance: bool,
|
||||
no_provenance: bool,
|
||||
) -> Result<(), AnyError> {
|
||||
let client = http_client.client()?;
|
||||
let registry_api_url = jsr_api_url().to_string();
|
||||
|
@ -531,7 +531,7 @@ async fn perform_publish(
|
|||
®istry_api_url,
|
||||
®istry_url,
|
||||
&authorization,
|
||||
provenance,
|
||||
no_provenance,
|
||||
)
|
||||
.await
|
||||
.with_context(|| format!("Failed to publish {}", display_name))?;
|
||||
|
@ -558,7 +558,7 @@ async fn publish_package(
|
|||
registry_api_url: &str,
|
||||
registry_url: &str,
|
||||
authorization: &str,
|
||||
provenance: bool,
|
||||
no_provenance: bool,
|
||||
) -> Result<(), AnyError> {
|
||||
let client = http_client.client()?;
|
||||
println!(
|
||||
|
@ -665,8 +665,12 @@ async fn publish_package(
|
|||
package.version
|
||||
);
|
||||
|
||||
if provenance {
|
||||
// Get the version manifest from JSR
|
||||
let enable_provenance = std::env::var("DISABLE_JSR_PROVENANCE").is_err()
|
||||
|| (auth::is_gha() && auth::gha_oidc_token().is_some() && !no_provenance);
|
||||
|
||||
// Enable provenance by default on Github actions with OIDC token
|
||||
if enable_provenance {
|
||||
// Get the version manifest from the registry
|
||||
let meta_url = jsr_url().join(&format!(
|
||||
"@{}/{}/{}_meta.json",
|
||||
package.scope, package.package, package.version
|
||||
|
@ -942,7 +946,7 @@ pub async fn publish(
|
|||
prepared_data.publish_order_graph,
|
||||
prepared_data.package_by_name,
|
||||
auth_method,
|
||||
publish_flags.provenance,
|
||||
publish_flags.no_provenance,
|
||||
)
|
||||
.await?;
|
||||
|
||||
|
|
|
@ -166,7 +166,7 @@ itest!(successful {
|
|||
});
|
||||
|
||||
itest!(provenance {
|
||||
args: "publish --provenance",
|
||||
args: "publish",
|
||||
output: "publish/successful_provenance.out",
|
||||
cwd: Some("publish/successful"),
|
||||
envs: env_vars_for_jsr_provenance_tests(),
|
||||
|
|
|
@ -60,12 +60,14 @@ pub fn env_vars_for_npm_tests() -> Vec<(String, String)> {
|
|||
pub fn env_vars_for_jsr_tests() -> Vec<(String, String)> {
|
||||
vec![
|
||||
("JSR_URL".to_string(), jsr_registry_url()),
|
||||
("DISABLE_JSR_PROVENANCE".to_string(), "true".to_string()),
|
||||
("NO_COLOR".to_string(), "1".to_string()),
|
||||
]
|
||||
}
|
||||
|
||||
pub fn env_vars_for_jsr_provenance_tests() -> Vec<(String, String)> {
|
||||
let mut envs = env_vars_for_jsr_tests();
|
||||
envs.retain(|(key, _)| key != "DISABLE_JSR_PROVENANCE");
|
||||
envs.extend(vec![
|
||||
("REKOR_URL".to_string(), rekor_url()),
|
||||
("FULCIO_URL".to_string(), fulcio_url()),
|
||||
|
@ -112,6 +114,7 @@ pub fn env_vars_for_jsr_npm_tests() -> Vec<(String, String)> {
|
|||
vec![
|
||||
("NPM_CONFIG_REGISTRY".to_string(), npm_registry_url()),
|
||||
("JSR_URL".to_string(), jsr_registry_url()),
|
||||
("DISABLE_JSR_PROVENANCE".to_string(), "true".to_string()),
|
||||
("NO_COLOR".to_string(), "1".to_string()),
|
||||
]
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue