feat(publish): enable package provenance by default on github actions (#22635)

2024-10-04 07:09:20 +00:00 · 2024-02-29 21:48:47 +05:30 · 2024-02-29 21:48:47 +05:30 · 9ffc34c159
parent ab71733469
commit 9ffc34c159
4 changed files with 21 additions and 32 deletions
--- a/cli/args/flags.rs
+++ b/cli/args/flags.rs
@ -302,7 +302,7 @@ pub struct PublishFlags {
  pub token: Option<String>,
  pub dry_run: bool,
  pub allow_slow_types: bool,
-  pub provenance: bool,
+  pub no_provenance: bool,
 }

 #[derive(Clone, Debug, Eq, PartialEq)]
@ -2404,9 +2404,9 @@ fn publish_subcommand() -> Command {
          .action(ArgAction::SetTrue),
      )
      .arg(
-        Arg::new("provenance")
-          .long("provenance")
-          .help("From CI/CD system, publicly links the package to where it was built and published from.")
+        Arg::new("no-provenance")
+          .long("no-provenance")
+          .help("Disable provenance attestation. Enabled by default on Github actions, publicly links the package to where it was built and published from.")
          .action(ArgAction::SetTrue)
      )
      .arg(check_arg(/* type checks by default */ true))
@ -3860,7 +3860,7 @@ fn publish_parse(flags: &mut Flags, matches: &mut ArgMatches) {
    token: matches.remove_one("token"),
    dry_run: matches.get_flag("dry-run"),
    allow_slow_types: matches.get_flag("allow-slow-types"),
-    provenance: matches.get_flag("provenance"),
+    no_provenance: matches.get_flag("no-provenance"),
  });
 }

@ -8580,6 +8580,7 @@ mod tests {
    let r = flags_from_vec(svec![
      "deno",
      "publish",
+      "--no-provenance",
      "--dry-run",
      "--allow-slow-types",
      "--token=asdf",
@ -8591,26 +8592,7 @@ mod tests {
          token: Some("asdf".to_string()),
          dry_run: true,
          allow_slow_types: true,
-          provenance: false,
-        }),
-        type_check_mode: TypeCheckMode::Local,
-        ..Flags::default()
-      }
-    );
-  }
-
-  #[test]
-  fn publish_provenance_args() {
-    let r =
-      flags_from_vec(svec!["deno", "publish", "--provenance", "--token=asdf",]);
-    assert_eq!(
-      r.unwrap(),
-      Flags {
-        subcommand: DenoSubcommand::Publish(PublishFlags {
-          token: Some("asdf".to_string()),
-          dry_run: false,
-          allow_slow_types: false,
-          provenance: true,
+          no_provenance: true,
        }),
        type_check_mode: TypeCheckMode::Local,
        ..Flags::default()
--- a/cli/tools/registry/mod.rs
+++ b/cli/tools/registry/mod.rs
@ -470,7 +470,7 @@ async fn perform_publish(
  mut publish_order_graph: PublishOrderGraph,
  mut prepared_package_by_name: HashMap<String, Rc<PreparedPublishPackage>>,
  auth_method: AuthMethod,
-  provenance: bool,
+  no_provenance: bool,
 ) -> Result<(), AnyError> {
  let client = http_client.client()?;
  let registry_api_url = jsr_api_url().to_string();
@ -531,7 +531,7 @@ async fn perform_publish(
          &registry_api_url,
          &registry_url,
          &authorization,
-          provenance,
+          no_provenance,
        )
        .await
        .with_context(|| format!("Failed to publish {}", display_name))?;
@ -558,7 +558,7 @@ async fn publish_package(
  registry_api_url: &str,
  registry_url: &str,
  authorization: &str,
-  provenance: bool,
+  no_provenance: bool,
 ) -> Result<(), AnyError> {
  let client = http_client.client()?;
  println!(
@ -665,8 +665,12 @@ async fn publish_package(
    package.version
  );

-  if provenance {
-    // Get the version manifest from JSR
+  let enable_provenance = std::env::var("DISABLE_JSR_PROVENANCE").is_err()
+    || (auth::is_gha() && auth::gha_oidc_token().is_some() && !no_provenance);
+
+  // Enable provenance by default on Github actions with OIDC token
+  if enable_provenance {
+    // Get the version manifest from the registry
    let meta_url = jsr_url().join(&format!(
      "@{}/{}/{}_meta.json",
      package.scope, package.package, package.version
@ -942,7 +946,7 @@ pub async fn publish(
    prepared_data.publish_order_graph,
    prepared_data.package_by_name,
    auth_method,
-    publish_flags.provenance,
+    publish_flags.no_provenance,
  )
  .await?;

--- a/tests/integration/publish_tests.rs
+++ b/tests/integration/publish_tests.rs
@ -166,7 +166,7 @@ itest!(successful {
 });

 itest!(provenance {
-  args: "publish --provenance",
+  args: "publish",
  output: "publish/successful_provenance.out",
  cwd: Some("publish/successful"),
  envs: env_vars_for_jsr_provenance_tests(),
--- a/tests/util/server/src/lib.rs
+++ b/tests/util/server/src/lib.rs
@ -60,12 +60,14 @@ pub fn env_vars_for_npm_tests() -> Vec<(String, String)> {
 pub fn env_vars_for_jsr_tests() -> Vec<(String, String)> {
  vec![
    ("JSR_URL".to_string(), jsr_registry_url()),
+    ("DISABLE_JSR_PROVENANCE".to_string(), "true".to_string()),
    ("NO_COLOR".to_string(), "1".to_string()),
  ]
 }

 pub fn env_vars_for_jsr_provenance_tests() -> Vec<(String, String)> {
  let mut envs = env_vars_for_jsr_tests();
+  envs.retain(|(key, _)| key != "DISABLE_JSR_PROVENANCE");
  envs.extend(vec![
    ("REKOR_URL".to_string(), rekor_url()),
    ("FULCIO_URL".to_string(), fulcio_url()),
@ -112,6 +114,7 @@ pub fn env_vars_for_jsr_npm_tests() -> Vec<(String, String)> {
  vec![
    ("NPM_CONFIG_REGISTRY".to_string(), npm_registry_url()),
    ("JSR_URL".to_string(), jsr_registry_url()),
+    ("DISABLE_JSR_PROVENANCE".to_string(), "true".to_string()),
    ("NO_COLOR".to_string(), "1".to_string()),
  ]
 }