From 293c85935a4794c70246b6206fa72633b6e902ca Mon Sep 17 00:00:00 2001
From: Max Schmitt <max@schmitt.mx>
Date: Thu, 5 Oct 2023 20:00:18 +0000
Subject: [PATCH] devops: publish using NPM provenance feature (#27459)

As per
https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions.

We use Node.js 18 (LTS) to get NPM 9+.

Closes https://github.com/microsoft/playwright/issues/22555
---
 .github/workflows/publish_canary.yml      | 5 ++++-
 .github/workflows/publish_release_npm.yml | 5 ++++-
 utils/publish_all_packages.sh             | 2 +-
 3 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish_canary.yml b/.github/workflows/publish_canary.yml
index 9fa09f1ef4..61119fbbf9 100644
--- a/.github/workflows/publish_canary.yml
+++ b/.github/workflows/publish_canary.yml
@@ -16,11 +16,14 @@ jobs:
     name: "publish canary NPM & Publish canary Docker"
     runs-on: ubuntu-20.04
     if: github.repository == 'microsoft/playwright'
+    permissions:
+      contents: read
+      id-token: write
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
       with:
-        node-version: 16
+        node-version: 18
         registry-url: 'https://registry.npmjs.org'
     - run: npm i -g npm@8
     - run: npm ci
diff --git a/.github/workflows/publish_release_npm.yml b/.github/workflows/publish_release_npm.yml
index 474157edf1..e423115446 100644
--- a/.github/workflows/publish_release_npm.yml
+++ b/.github/workflows/publish_release_npm.yml
@@ -12,11 +12,14 @@ jobs:
     name: "publish to NPM"
     runs-on: ubuntu-20.04
     if: github.repository == 'microsoft/playwright'
+    permissions:
+      contents: read
+      id-token: write
     steps:
     - uses: actions/checkout@v3
     - uses: actions/setup-node@v3
       with:
-        node-version: 16
+        node-version: 18
         registry-url: 'https://registry.npmjs.org'
     - run: npm i -g npm@8
     - run: npm ci
diff --git a/utils/publish_all_packages.sh b/utils/publish_all_packages.sh
index 78344136e3..23e4d3eca1 100755
--- a/utils/publish_all_packages.sh
+++ b/utils/publish_all_packages.sh
@@ -94,7 +94,7 @@ echo "==================== Publishing version ${VERSION} ================"
 node ./utils/workspace.js --ensure-consistent
 node ./utils/workspace.js --list-public-package-paths | while read package
 do
-  npm publish --access=public ${package} --tag="${NPM_PUBLISH_TAG}"
+  npm publish --access=public ${package} --tag="${NPM_PUBLISH_TAG}" --provenance
 done
 
 echo "Done."