fix(publish): gate --provenance on GITHUB_ACTIONS to unbreak local runs

jdalton · jdalton · commit 638f15bed40e · 2026-04-19T17:47:12.000-04:00
`npm publish --provenance` requires the GitHub Actions OIDC
id-token endpoint — running the script locally (or in any non-GHA
environment) fails with:
  "Provenance generation in GitHub Actions requires 'id-token: write'
   permission"

Guarded the flag behind `process.env.GITHUB_ACTIONS === 'true'` so
local emergency publishes (classic npm-token auth, no OIDC) still
work. CI runs unchanged — GITHUB_ACTIONS is always `true` there, so
provenance attestations are attached to every CI-published tarball
exactly as before.

Same fix was applied to stuie's scripts/publish.mts earlier today
and is going out to socket-packageurl-js / socket-sdk-js in
parallel commits.
diff --git a/scripts/npm/publish-npm-packages.mts b/scripts/npm/publish-npm-packages.mts
@@ -411,20 +411,22 @@ async function publishTrusted(pkg, state, options) {
         await new Promise(resolve => setTimeout(resolve, delay))
       }
 
-      // Use npm for trusted publishing with OIDC tokens.
-
-      const result = await spawn(
-        'npm',
-        ['publish', '--provenance', '--access', 'public'],
-        {
-          cwd: pkg.path,
-          env: {
-            ...process.env,
-            // Don't set NODE_AUTH_TOKEN for trusted publishing - uses OIDC.
-          },
-          shell: WIN32,
+      // Use npm for trusted publishing with OIDC tokens. `--provenance`
+      // requires the GitHub Actions OIDC id-token endpoint, so it's
+      // gated on GITHUB_ACTIONS=true — local emergency publishes (run
+      // with a classic npm token) still work without provenance.
+      const publishArgs = ['publish', '--access', 'public']
+      if (process.env['GITHUB_ACTIONS'] === 'true') {
+        publishArgs.splice(1, 0, '--provenance')
+      }
+      const result = await spawn('npm', publishArgs, {
+        cwd: pkg.path,
+        env: {
+          ...process.env,
+          // Don't set NODE_AUTH_TOKEN for trusted publishing - uses OIDC.
         },
-      )
+        shell: WIN32,
+      })
       if (result.stdout) {
         logger.log(result.stdout)
       }
