From c76934f7e9aba710cd70267531e24a5df1242ca1 Mon Sep 17 00:00:00 2001 From: Claude Date: Sat, 15 Nov 2025 04:20:58 +0000 Subject: [PATCH] fix: add --access public flag to GitHub Packages publish with provenance When publishing to GitHub Packages with the --provenance flag, npm requires explicitly setting --access public. This fixes the npm publish error: "Can't generate provenance for new or private package, you must set access to public" Changes: - Added --access public flag to auto-release.yml GitHub Packages publish step - Added --access public flag to release.yml GitHub Packages publish step - Added clarifying comment about the requirement This ensures SLSA provenance generation works correctly for GitHub Packages. --- .github/workflows/auto-release.yml | 5 +++-- .github/workflows/release.yml | 2 +- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/auto-release.yml b/.github/workflows/auto-release.yml index 6aff259..6c3de78 100644 --- a/.github/workflows/auto-release.yml +++ b/.github/workflows/auto-release.yml @@ -223,10 +223,11 @@ jobs: run: | # The publishConfig in package.json already points to GitHub Packages # Include --provenance flag (GitHub Packages uses attestations generated above) + # --access public is required when using --provenance if [ "${{ github.event.inputs.is_beta }}" == "true" ]; then - npm publish --tag beta --provenance + npm publish --tag beta --access public --provenance else - npm publish --provenance + npm publish --access public --provenance fi env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 00004fa..b6fa491 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -115,6 +115,6 @@ jobs: path: dist/ - name: Publish to GitHub Packages - run: npm publish --provenance + run: npm publish --access public --provenance env: NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}