Skip to content

Verify npm provenance attestations on the next release #63

Description

@djacu

Context

@nixos/branding is configured for npm trusted publishing (OIDC): the trusted publisher on npmjs names repo nixos/branding / workflow release-guide.yml, and id-token: write is granted on both the caller job (release-npm-package in release-guide.yml) and the child job (build-npm-package in release-npm-package.yaml). Per npm's docs, trusted publishing from a public repo auto-generates provenance attestations — no --provenance flag needed — and for reusable workflows the trusted publisher must name the top-level workflow (which it does).

The currently published versions (0.0.1, 0.1.0, Nov 2025) have no provenance attestations, but they were published manually before the release workflow was functional (the media-kit build was broken until #59), so they predate the working automated path.

To verify on the next release

When the next release is cut through the automated pipeline (tag nixos-branding-guide-v*.*.*):

If provenance is absent despite a successful trusted-publishing run, add --provenance to the npm publish command in release-npm-package.yaml as an explicit fallback.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions