Skip to content
This repository was archived by the owner on Mar 8, 2026. It is now read-only.

Commit 3ad4639

Browse files
committed
fix(release): add provenance-safe repository metadata
1 parent a46d29e commit 3ad4639

7 files changed

Lines changed: 31 additions & 0 deletions

File tree

README.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -245,6 +245,7 @@ Trusted-publishing learnings captured in this template:
245245
- release-please workflow uses `googleapis/release-please-action` v4.4.0 (SHA pinned) and no deprecated `command` input.
246246
- publish workflow and release-check workflow both upgrade npm (`>=11.5.1`) for consistent trusted publishing behavior.
247247
- release-check script tolerates npm `already published version` dry-run responses for post-release idempotency.
248+
- package metadata must include `repository.url` matching the GitHub repo for npm provenance verification.
248249
- for GitHub repos using this template, ensure Actions policy allows external actions and workflow permissions are `Read and write` with PR creation enabled.
249250
- first-time npm package bootstrap may still require one token-based publish before configuring npm trusted publisher on package settings.
250251

copier-template/README.md.jinja

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -107,6 +107,7 @@ Trusted-publishing defaults captured in this scaffold:
107107
- release-please action is pinned to an immutable v4.4.0 SHA.
108108
- publish workflow and release-check workflow both upgrade npm (`>=11.5.1`) for consistent trusted publishing behavior.
109109
- release-check script tolerates npm `already published version` dry-run responses for post-release idempotency.
110+
- package metadata must include `repository.url` matching the GitHub repo for npm provenance verification.
110111

111112
Recommended before release:
112113

copier-template/docs/dev/trusted_publishing.md

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -43,6 +43,7 @@ then configure trusted publisher and continue with OIDC-only CI publishes.
4343
2. **release-please PR creation failure**: workflow permissions are read-only.
4444
3. **Tag mismatch**: release-please component tags differ from publish trigger expectation.
4545
4. **Publish setup failure**: npm cache expects lockfile that is not checked in.
46+
5. **Provenance verification failure (E422)**: `package.json` `repository.url` is missing or does not match the GitHub repository URL in provenance.
4647

4748
## Verification checklist
4849

copier-template/package.json.jinja

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,14 @@
44
"description": "pi extension package for {{ command_name }} workflows in pi",
55
"type": "module",
66
"license": "MIT",
7+
"repository": {
8+
"type": "git",
9+
"url": "git+https://github.com/{{ github_maintainer }}/{{ repo_name }}.git"
10+
},
11+
"bugs": {
12+
"url": "https://github.com/{{ github_maintainer }}/{{ repo_name }}/issues"
13+
},
14+
"homepage": "https://github.com/{{ github_maintainer }}/{{ repo_name }}#readme",
715
"keywords": [
816
"pi-package",
917
"pi-extension",

copier-template/scripts/release-check.sh

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,15 @@ cd "$ROOT_DIR"
66

77
NAME="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json', 'utf8')).name")"
88
VERSION="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json', 'utf8')).version")"
9+
REPOSITORY_URL="$(node -p "(() => { const pkg = JSON.parse(require('node:fs').readFileSync('package.json', 'utf8')); const repo = pkg.repository; if (typeof repo === 'string') return repo.trim(); if (repo && typeof repo === 'object' && typeof repo.url === 'string') return repo.url.trim(); return ''; })()")"
910

1011
echo "== release-check: ${NAME}@${VERSION}"
1112

13+
if [[ -z "$REPOSITORY_URL" ]]; then
14+
echo "package.json repository.url is required for provenance release publishing." >&2
15+
exit 1
16+
fi
17+
1218
if [[ "$NAME" != "${NAME,,}" ]]; then
1319
echo "Invalid npm package name: must be lowercase: $NAME" >&2
1420
exit 1

package.json

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,14 @@
44
"description": "Copier template + CLI for bootstrapping production-ready pi extension repositories",
55
"type": "module",
66
"license": "MIT",
7+
"repository": {
8+
"type": "git",
9+
"url": "git+https://github.com/tryingET/pi-extensions-template_copier.git"
10+
},
11+
"bugs": {
12+
"url": "https://github.com/tryingET/pi-extensions-template_copier/issues"
13+
},
14+
"homepage": "https://github.com/tryingET/pi-extensions-template_copier#readme",
715
"keywords": [
816
"pi-package",
917
"pi-extension",

scripts/release-check-template.sh

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,15 @@ cd "$ROOT_DIR"
66

77
NAME="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json', 'utf8')).name")"
88
VERSION="$(node -p "JSON.parse(require('node:fs').readFileSync('package.json', 'utf8')).version")"
9+
REPOSITORY_URL="$(node -p "(() => { const pkg = JSON.parse(require('node:fs').readFileSync('package.json', 'utf8')); const repo = pkg.repository; if (typeof repo === 'string') return repo.trim(); if (repo && typeof repo === 'object' && typeof repo.url === 'string') return repo.url.trim(); return ''; })()")"
910

1011
echo "== template release-check: ${NAME}@${VERSION}"
1112

13+
if [[ -z "$REPOSITORY_URL" ]]; then
14+
echo "package.json repository.url is required for provenance release publishing." >&2
15+
exit 1
16+
fi
17+
1218
if [[ "$NAME" != "${NAME,,}" ]]; then
1319
echo "Invalid npm package name: must be lowercase: $NAME" >&2
1420
exit 1

0 commit comments

Comments
 (0)