Open wojtekmaj opened 1 year ago
Hi, did this feature get any traction? We're interested in using yarn for publishing provenance as well.
For context, we currently use yarn npm publish
to package and publish our packages. However, this doesn't output an artifact locally or the shasum of the artifact, so we have no way of generating build provenance from the artifact that yarn packages and publishes. It'd be ideal if yarn could support the --provenance
parameter, but even outputting the shasum of the generated yarn package would be helpful to give us options here.
For impatient ones: you can pack your package using Yarn, but publish it using npm. This way you can still e.g. use Yarn plugins. Only at the very last moment you pass the job on to npm, to publish prepared package.tgz
file(s).
Here's how I did it: https://github.com/wojtekmaj/react-async-button/commit/585692056cb04422c6f4594b46a3022d1157e5fa
I quickly checked the code that publishes packages. It looks like that yarn
publishes packages with its own instead of using npm underhood, so it is required to implement NPM's code in yarn
's as well?
Or would it be better to call npm publish
instead while the user adds a --provenance
option?
I am thrilled to see this feature implemented in yarn
.
Describe the user story
npm has recently announced npm provenance public beta. At the moment, the command
yarn npm publish --provenance
produces and error, whilepublishConfig.provenance
is nowhere to be found in the docs, meaning - it may or may not work, who knows?Describe the solution you'd like
Support and document
--provenance
flag inyarn npm publish
command Support and documentpublishConfig.provenance
option inpackage.json
Describe the drawbacks of your solution
None that I know of
Describe alternatives you've considered
npm publish --provenance
, but that doesn't allow me to use custom hooks I've implemented using Yarn plugins.