From e8e013cf43c4b835a164ce4f266fe3da7fcff7c0 Mon Sep 17 00:00:00 2001
From: Jakub Pavlik <pavlk.jakub@gmail.com>
Date: Thu, 14 Nov 2024 13:44:58 +0100
Subject: [PATCH] Enable supply chain security through npm provenance
 attestation

- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs

Fixes: https://github.com/microsoft/TypeScript/issues/60497
---
 .github/workflows/insiders.yaml | 4 +++-
 .github/workflows/nightly.yaml  | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/insiders.yaml b/.github/workflows/insiders.yaml
index dc23cc43673b8..b9365cb0dcffd 100644
--- a/.github/workflows/insiders.yaml
+++ b/.github/workflows/insiders.yaml
@@ -7,6 +7,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write      # Required for provenance
+  packages: write      # Required for publishing
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -60,6 +62,6 @@ jobs:
           npx hereby configure-insiders
           npx hereby LKG
           node ./scripts/addPackageJsonGitHead.mjs package.json
-          npm publish --tag insiders
+          npm publish --provenance --tag insiders
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}
diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index 375a8255ae67b..b99df5f1dcf7c 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -8,6 +8,8 @@ on:
 
 permissions:
   contents: read
+  id-token: write      # Required for provenance
+  packages: write      # Required for publishing
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -60,6 +62,6 @@ jobs:
           npx hereby configure-nightly
           npx hereby LKG
           node ./scripts/addPackageJsonGitHead.mjs package.json
-          npm publish --tag next
+          npm publish --provenance --tag next
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}