Update npm-publish workflow to include --provenance flag for package …

[jcortejoso]

Description

Update npm-publish workflow to include --provenance flag for package publishing: https://docs.npmjs.com/generating-provenance-statements

Summary by CodeRabbit

• Chores
  • Updated automated publishing to include provenance metadata for npm package releases.
  • Retains existing dry-run behavior and applies the provenance change across all publish steps, improving package integrity and verifiability during distribution.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 431a1cf and 1dced7c.

📒 Files selected for processing (1)

• .github/workflows/npm-publish.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/npm-publish.yml

---

📝 Walkthrough

Walkthrough

The workflow file .github/workflows/npm-publish.yml was updated to add the --provenance flag to all npm publish invocations, placing it before existing TAG and DRY_RUN arguments.

Changes

Cohort / File(s)	Summary
npm Publish Workflow Configuration ​.github/workflows/npm-publish.yml	Added the --provenance flag to npx npm@latest publish package.tgz --access public invocations across publish steps; flag is inserted before existing $TAG and $DRY_RUN arguments.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• chore: NPM publish using Trusted Publishing #1729: Modifies the same .github/workflows/npm-publish.yml publish steps to change npx npm@latest publish arguments, including adding the --provenance flag.

Suggested reviewers

• Nesopie
• transphorm

Poem

📦 A tiny flag joins the publish song,
Provenance sworn as the packages move along,
Build whispers truth in a signed little note,
Origin traced as the registries float,
Small change, clearer trust — a tidy new song.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The description provides context and includes a reference link, but is missing the required 'Tested' and 'How to QA' sections from the template.	Complete the missing template sections: add 'Tested' section explaining how the workflow change was validated, and 'How to QA' section with reproducible testing steps.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: adding the --provenance flag to the npm-publish workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch jcortejoso/provenance

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/npm-publish.yml:
- Line 425: The publish command line "npx npm@latest publish package.tgz
--access restricted --provenance --tag alpha $DRY_RUN" is invalid because
--provenance cannot be used with --access restricted; either remove --provenance
from that publish invocation (Option A) so the command becomes a restricted
publish, or change --access restricted to --access public (Option B) so
provenance can be generated; also ensure the package name
(`@selfxyz/mobile-sdk-alpha`) and CI secrets/policy allow public publishing before
choosing Option B.