Add npm provenance support

Fixes #701

Author: sindresorhus

readme.md

@@ -73,6 +73,7 @@ $ np --help
     --no-2fa                Don't enable 2FA on new packages (not recommended)
     --message               Version bump commit message, '%s' will be replaced with version (default: '%s' with npm and 'v%s' with yarn)
     --package-manager       Use a specific package manager (default: 'packageManager' field in package.json)
+    --provenance            Publish with npm provenance statements (CI-only)
 
   Examples
     $ np
@@ -109,6 +110,7 @@ Currently, these are the flags you can configure:
 - `2fa` - Enable 2FA on new packages (`true` by default) (setting this to `false` is not recommended).
 - `message` - The commit message used for the version bump. Any `%s` in the string will be replaced with the new version. By default, npm uses `%s` and Yarn uses `v%s`.
 - `packageManager` - Set the package manager to be used. Defaults to the [packageManager field in package.json](https://nodejs.org/dist/latest-v16.x/docs/api/all.html#all_packages_packagemanager), so only use if you can't update package.json for some reason.
+- `provenance` - Publish with [npm provenance statements](https://docs.npmjs.com/generating-provenance-statements) (`false` by default). Requires npm 9.5.0+ and a supported CI environment (GitHub Actions or GitLab CI/CD).
 
 For example, this configures `np` to use `unit-test` as a test script, and to use `dist` as the subdirectory to publish:
 

source/cli-implementation.js

@@ -40,6 +40,7 @@ const cli = meow(`
 	  --no-2fa               Don't enable 2FA on new packages (not recommended)
 	  --message              Version bump commit message, '%s' will be replaced with version (default: '%s' with npm and 'v%s' with yarn)
 	  --package-manager      Use a specific package manager (default: 'packageManager' field in package.json)
+	  --provenance           Publish with npm provenance statements (CI-only)
 
 	Examples
 	  $ np
@@ -100,6 +101,9 @@ const cli = meow(`
 		message: {
 			type: 'string',
 		},
+		provenance: {
+			type: 'boolean',
+		},
 	},
 });
 

source/npm/publish.js

@@ -15,6 +15,10 @@ export const getPackagePublishArguments = options => {
 		arguments_.push('--access', 'public');
 	}
 
+	if (options.provenance) {
+		arguments_.push('--provenance');
+	}
+
 	return arguments_;
 };
 

test/cli.js

@@ -32,6 +32,7 @@ test('flags: --help', cliPasses, cli, '--help', [
 	'--no-2fa               Don\'t enable 2FA on new packages (not recommended)',
 	'--message              Version bump commit message, \'%s\' will be replaced with version (default: \'%s\' with npm and \'v%s\' with yarn)',
 	'--package-manager      Use a specific package manager (default: \'packageManager\' field in package.json)',
+	'--provenance           Publish with npm provenance statements (CI-only)',
 	'',
 	'Examples',
 	'$ np',

test/npm/publish.js

@@ -29,6 +29,13 @@ test('options.publishScoped', t => {
 	);
 });
 
+test('options.provenance', t => {
+	t.deepEqual(
+		getPackagePublishArguments({provenance: true}),
+		['publish', '--provenance'],
+	);
+});
+
 test('runPublish uses cwd option when provided', async t => {
 	const result = await runPublish(['echo', ['test']], {cwd: '/tmp'});
 	t.is(result.cwd, '/tmp');