Context
--provenance was removed from the publish workflow in #14 because npm requires the source repository to be public for provenance attestations to work.
Error encountered:
npm error code E422
npm error Unsupported GitHub Actions source repository visibility: "private".
npm error Only public source repositories are supported when publishing with provenance.
What to do before going public
In .github/workflows/publish.yml:
-
Add back id-token: write to the job permissions:
permissions:
contents: read
id-token: write # for npm provenance
-
Add --provenance back to the publish step:
- name: Publish
run: npm publish --provenance --ignore-scripts
Why it matters
npm provenance creates a cryptographically signed attestation linking the published package to the exact source commit and CI workflow that built it. Users can verify the package wasn't tampered with between source and registry.
Context
--provenancewas removed from the publish workflow in #14 because npm requires the source repository to be public for provenance attestations to work.Error encountered:
What to do before going public
In
.github/workflows/publish.yml:Add back
id-token: writeto the job permissions:Add
--provenanceback to the publish step:Why it matters
npm provenance creates a cryptographically signed attestation linking the published package to the exact source commit and CI workflow that built it. Users can verify the package wasn't tampered with between source and registry.