[Feature] Add support for `yarn npm publish --provenance` and `publishConfig.provenance` option

yarnpkg / berry

📦🐈 Active development trunk for Yarn ⚒

https://yarnpkg.com

BSD 2-Clause "Simplified" License

7.24k stars 1.08k forks source link

[Feature] Add support for `yarn npm publish --provenance` and `publishConfig.provenance` option #5430

Open wojtekmaj opened 1 year ago

wojtekmaj commented 1 year ago

[ ] I'd be willing to implement this feature (contributing guide)
[ ] This feature is important to have in this repository; a contrib plugin wouldn't do

Describe the user story

npm has recently announced npm provenance public beta. At the moment, the command yarn npm publish --provenance produces and error, while publishConfig.provenance is nowhere to be found in the docs, meaning - it may or may not work, who knows?

Describe the solution you'd like

Support and document --provenance flag in yarn npm publish command Support and document publishConfig.provenance option in package.json

Describe the drawbacks of your solution

None that I know of

Describe alternatives you've considered

npm publish --provenance, but that doesn't allow me to use custom hooks I've implemented using Yarn plugins.

rsoberano-ld commented 10 months ago

Hi, did this feature get any traction? We're interested in using yarn for publishing provenance as well.

For context, we currently use yarn npm publish to package and publish our packages. However, this doesn't output an artifact locally or the shasum of the artifact, so we have no way of generating build provenance from the artifact that yarn packages and publishes. It'd be ideal if yarn could support the --provenance parameter, but even outputting the shasum of the generated yarn package would be helpful to give us options here.

wojtekmaj commented 8 months ago

For impatient ones: you can pack your package using Yarn, but publish it using npm. This way you can still e.g. use Yarn plugins. Only at the very last moment you pass the job on to npm, to publish prepared package.tgz file(s).

Here's how I did it: https://github.com/wojtekmaj/react-async-button/commit/585692056cb04422c6f4594b46a3022d1157e5fa

MaikoTan commented 3 months ago

I quickly checked the code that publishes packages. It looks like that yarn publishes packages with its own instead of using npm underhood, so it is required to implement NPM's code in yarn's as well? Or would it be better to call npm publish instead while the user adds a --provenance option?

I am thrilled to see this feature implemented in yarn.