From a66fc65742d41a8516b345e3c7224a280fc03532 Mon Sep 17 00:00:00 2001
From: Superchupu <53496941+SuperchupuDev@users.noreply.github.com>
Date: Mon, 4 Mar 2024 21:11:32 +0000
Subject: [PATCH] ci: enable npm provenance (#10164)

* chore: enable npm provenance

* chore: do the same for dev releases

* chore: actually enable it in normal releases

* chore: specify provenance in `package.json`

* chore: remove `publishConfig` from api-extractor-utils as it's `private`
---
 .github/workflows/publish-dev.yml                            | 4 +++-
 .github/workflows/publish-release.yml                        | 4 +++-
 packages/api-extractor-utils/package.json                    | 3 ---
 packages/brokers/package.json                                | 3 ++-
 packages/builders/package.json                               | 3 ++-
 packages/collection/package.json                             | 3 ++-
 packages/core/package.json                                   | 3 ++-
 packages/create-discord-bot/package.json                     | 3 ++-
 packages/discord.js/package.json                             | 3 +++
 packages/docgen/package.json                                 | 3 ++-
 packages/formatters/package.json                             | 3 ++-
 packages/next/package.json                                   | 3 ++-
 packages/proxy-container/package.json                        | 3 ++-
 packages/proxy/package.json                                  | 3 ++-
 packages/rest/package.json                                   | 3 ++-
 packages/scripts/turbo/generators/templates/package.json.hbs | 3 ++-
 packages/ui/package.json                                     | 3 ++-
 packages/util/package.json                                   | 3 ++-
 packages/voice/package.json                                  | 3 ++-
 packages/ws/package.json                                     | 3 ++-
 20 files changed, 41 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/publish-dev.yml b/.github/workflows/publish-dev.yml
index ea00a3cef..7482c76a4 100644
--- a/.github/workflows/publish-dev.yml
+++ b/.github/workflows/publish-dev.yml
@@ -35,6 +35,8 @@ jobs:
           - package: '@discordjs/ws'
             folder: 'ws'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
@@ -71,7 +73,7 @@ jobs:
         if: steps.release-check.outputs.release == '1'
         run: |
           pnpm --filter=${{ matrix.package }} run release --preid "dev.$(date +%s)-$(git rev-parse --short HEAD)"
-          pnpm --filter=${{ matrix.package }} publish --no-git-checks --tag dev || true
+          pnpm --filter=${{ matrix.package }} publish --provenance --no-git-checks --tag dev || true
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
 
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index fe24ba9f6..2960253dc 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -6,6 +6,8 @@ jobs:
   npm-publish:
     name: npm publish
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     env:
       TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
       TURBO_TEAM: ${{ secrets.TURBO_TEAM }}
@@ -34,6 +36,6 @@ jobs:
 
       - name: Publish package
         run: |
-          pnpm --filter=${{ steps.extract-tag.outputs.subpackage == 'true' && '@discordjs/' || '' }}${{ steps.extract-tag.outputs.package }} publish --no-git-checks
+          pnpm --filter=${{ steps.extract-tag.outputs.subpackage == 'true' && '@discordjs/' || '' }}${{ steps.extract-tag.outputs.package }} publish --provenance --no-git-checks
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
diff --git a/packages/api-extractor-utils/package.json b/packages/api-extractor-utils/package.json
index aae57f254..a1e246b77 100644
--- a/packages/api-extractor-utils/package.json
+++ b/packages/api-extractor-utils/package.json
@@ -61,8 +61,5 @@
 	},
 	"engines": {
 		"node": ">=18"
-	},
-	"publishConfig": {
-		"access": "public"
 	}
 }
diff --git a/packages/brokers/package.json b/packages/brokers/package.json
index 61ddad58e..c3b35c959 100644
--- a/packages/brokers/package.json
+++ b/packages/brokers/package.json
@@ -91,6 +91,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/builders/package.json b/packages/builders/package.json
index f005d7d3b..26b1fce70 100644
--- a/packages/builders/package.json
+++ b/packages/builders/package.json
@@ -94,6 +94,7 @@
 		"node": ">=16.11.0"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/collection/package.json b/packages/collection/package.json
index 6a8dc4aa0..146dd1f3d 100644
--- a/packages/collection/package.json
+++ b/packages/collection/package.json
@@ -80,6 +80,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/core/package.json b/packages/core/package.json
index 7cc37fedf..b3a043df9 100644
--- a/packages/core/package.json
+++ b/packages/core/package.json
@@ -92,6 +92,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/create-discord-bot/package.json b/packages/create-discord-bot/package.json
index 88ec8c2a2..631c95503 100644
--- a/packages/create-discord-bot/package.json
+++ b/packages/create-discord-bot/package.json
@@ -75,6 +75,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/discord.js/package.json b/packages/discord.js/package.json
index 0b4bb2dff..2115f5baa 100644
--- a/packages/discord.js/package.json
+++ b/packages/discord.js/package.json
@@ -100,5 +100,8 @@
   },
   "engines": {
     "node": ">=16.11.0"
+  },
+  "publishConfig": {
+    "provenance": true
   }
 }
diff --git a/packages/docgen/package.json b/packages/docgen/package.json
index 809d0beb8..79a7c562b 100644
--- a/packages/docgen/package.json
+++ b/packages/docgen/package.json
@@ -81,6 +81,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/formatters/package.json b/packages/formatters/package.json
index 36ea640c4..c47100b8f 100644
--- a/packages/formatters/package.json
+++ b/packages/formatters/package.json
@@ -77,6 +77,7 @@
 		"node": ">=16.11.0"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/next/package.json b/packages/next/package.json
index ccc61a43a..a4f7cbddb 100644
--- a/packages/next/package.json
+++ b/packages/next/package.json
@@ -94,6 +94,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/proxy-container/package.json b/packages/proxy-container/package.json
index 832e15517..2fbd46fad 100644
--- a/packages/proxy-container/package.json
+++ b/packages/proxy-container/package.json
@@ -63,6 +63,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/proxy/package.json b/packages/proxy/package.json
index 1dee84070..722c92daa 100644
--- a/packages/proxy/package.json
+++ b/packages/proxy/package.json
@@ -92,6 +92,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/rest/package.json b/packages/rest/package.json
index c9b5eadef..fa9cd72cd 100644
--- a/packages/rest/package.json
+++ b/packages/rest/package.json
@@ -113,6 +113,7 @@
 		"node": ">=16.11.0"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/scripts/turbo/generators/templates/package.json.hbs b/packages/scripts/turbo/generators/templates/package.json.hbs
index 223cbfd4c..40959275f 100644
--- a/packages/scripts/turbo/generators/templates/package.json.hbs
+++ b/packages/scripts/turbo/generators/templates/package.json.hbs
@@ -70,6 +70,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/ui/package.json b/packages/ui/package.json
index c77fce5ae..4c9c4b58e 100644
--- a/packages/ui/package.json
+++ b/packages/ui/package.json
@@ -93,6 +93,7 @@
 		"node": ">=18"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/util/package.json b/packages/util/package.json
index 9fd11c30b..af5fa1967 100644
--- a/packages/util/package.json
+++ b/packages/util/package.json
@@ -82,7 +82,8 @@
 		"node": ">=16.11.0"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	},
 	"tsd": {
 		"directory": "__tests__/types"
diff --git a/packages/voice/package.json b/packages/voice/package.json
index 9b5981d2c..1581b7780 100644
--- a/packages/voice/package.json
+++ b/packages/voice/package.json
@@ -95,6 +95,7 @@
 		"node": ">=16.11.0"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/ws/package.json b/packages/ws/package.json
index 84c79c000..2e64f9401 100644
--- a/packages/ws/package.json
+++ b/packages/ws/package.json
@@ -107,6 +107,7 @@
 		"node": ">=16.11.0"
 	},
 	"publishConfig": {
-		"access": "public"
+		"access": "public",
+		"provenance": true
 	}
 }