From 6453f2ab789dff71fb77bb06556bbc07c4091692 Mon Sep 17 00:00:00 2001 From: Daniel Sogl Date: Sat, 21 Mar 2026 16:04:30 -0700 Subject: [PATCH] fix: add npm provenance and fix core peer dependency version Add --provenance flag to npm publish for supply chain security. Add id-token: write permission to release workflow for OIDC-based provenance attestation. Fix MIN_CORE_VERSION to dynamically use current version instead of hardcoded ^8.0.2. --- .github/workflows/release-please.yml | 4 ++++ scripts/tasks/publish.ts | 4 ++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml index 980866560..fc8611497 100644 --- a/.github/workflows/release-please.yml +++ b/.github/workflows/release-please.yml @@ -9,6 +9,7 @@ permissions: contents: write pull-requests: write issues: write + id-token: write jobs: release-please: @@ -30,6 +31,9 @@ jobs: runs-on: ubuntu-latest needs: release-please if: ${{ needs.release-please.outputs.release_created }} + permissions: + contents: read + id-token: write steps: - uses: actions/checkout@v4.3.1 diff --git a/scripts/tasks/publish.ts b/scripts/tasks/publish.ts index 3de9ef233..dde6a2746 100644 --- a/scripts/tasks/publish.ts +++ b/scripts/tasks/publish.ts @@ -11,7 +11,7 @@ import { Logger } from '../logger'; const MAIN_PACKAGE_JSON = JSON.parse(readFileSync(resolve(__dirname, '../../package.json'), 'utf-8')); const VERSION = MAIN_PACKAGE_JSON.version; -const FLAGS = '--access public'; +const FLAGS = '--access public --provenance'; const PACKAGE_JSON_BASE = { description: 'Awesome Cordova Plugins - Native plugins for ionic apps', @@ -44,7 +44,7 @@ const DIST = resolve(ROOT, 'dist/@awesome-cordova-plugins'); const PACKAGES = []; -const MIN_CORE_VERSION = '^8.0.2'; +const MIN_CORE_VERSION = '^' + VERSION; const RXJS_VERSION = '^5.5.0 || ^6.5.0 || ^7.3.0'; const PLUGIN_PEER_DEPENDENCIES = {