Skip to content

ci: restore provenance.yml publish workflow on main#1410

Merged
John-David Dalton (jdalton) merged 1 commit into
mainfrom
barslev/restore-provenance-publish-workflow
Jul 10, 2026
Merged

ci: restore provenance.yml publish workflow on main#1410
John-David Dalton (jdalton) merged 1 commit into
mainfrom
barslev/restore-provenance-publish-workflow

Conversation

@barslev

@barslev Benjamin Barslev Nielsen (barslev) commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

Problem

The "📦 Publish to npm registry" workflow (.github/workflows/provenance.yml) has disappeared from the Actions UI, so the socket 1.1.x line can no longer be published from the sidebar.

Root cause: commit f6165b07e ("chore(ci): land 3 ci changes", part of the v2 monorepo cascade landed on main on 2026-07-09) removed provenance.yml from main. Because main is the default branch, GitHub only registers/surfaces workflows that exist there — so removing it:

  • dropped "📦 Publish to npm registry" from the Actions sidebar (no entry, no "Run workflow" button), and
  • makes prune-workflow-runs.yml eligible to wipe all of its run history (it deletes all runs for workflows whose source is gone from the default branch).

That workflow is still the only publisher for the socket 1.1.x line — currently socket@latest = 1.1.140 on npm, shipped from the v1.x branch. The two publish workflows now on main (npm-publish.yml, publish-npm.yml) belong to the v2 socket-cli-monorepo and do not publish the 1.1.x line.

Change

Restore .github/workflows/provenance.yml on main, verbatim from v1.x. This re-registers the workflow so it reappears in the Actions UI with a working "Run workflow" button.

How to use after merge

Dispatch "📦 Publish to npm registry" and select the v1.x branch as the ref (the run uses the workflow definition and code from the selected ref). The main copy exists only so GitHub registers/surfaces the workflow.

Note — this is a stopgap

The removal came from the automated fleet/template cascade. Unless the cascade template is updated to keep this file (or the team decides on a different publishing path for the 1.1.x line while v2 isn't yet latest), a future cascade may drop it again. Flagging separately to John-David Dalton (@jdalton).


Note

Medium Risk
Restores release automation that uses NPM OIDC/token publishing and can create git tags; operational risk if dispatched against the wrong ref, but logic is an unchanged restore from v1.x.

Overview
Re-adds .github/workflows/provenance.yml on main so GitHub registers “Publish to npm registry” again in the Actions UI (workflows on the default branch only). The file matches the v1.x copy; after merge, operators should dispatch it with the v1.x ref so builds and publishes still use the 1.1.x line.

The restored workflow is the manual build → npm publish (with provenance) path for the socket / legacy / Sentry dist variants, plus idempotent v<version> tagging when the primary socket publish succeeds. It does not change application code—only brings back the workflow definition that was removed from main during the v2 CI cascade.

Reviewed by Cursor Bugbot for commit f9385b7. Configure here.

The v2 monorepo cascade (f6165b0, "chore(ci): land 3 ci changes")
removed .github/workflows/provenance.yml from main. Because main is the
default branch, that de-registered the "Publish to npm registry" workflow
from the Actions UI (no sidebar entry, no Run button) and
prune-workflow-runs.yml is wiping its run history. That workflow is still
the only publisher for the socket 1.1.x line (current npm latest) shipped
from v1.x.

Restore the file verbatim from v1.x so the workflow re-registers and is
dispatchable again. Dispatch it selecting the v1.x branch as the ref.
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgithub/​actions/​setup-node@​53b83947a5a98c8d113130e565377fae1a50d02f99100100100100

View full report

@socket-security-staging

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedgithub/​actions/​setup-node@​53b83947a5a98c8d113130e565377fae1a50d02f99100100100100

View full report

@jdalton

Copy link
Copy Markdown
Collaborator

Ah yes, migrating to a npm-publish.yml workflow but until it is up solid lets keep the old.

@jdalton John-David Dalton (jdalton) merged commit a524daa into main Jul 10, 2026
8 of 9 checks passed
@jdalton John-David Dalton (jdalton) deleted the barslev/restore-provenance-publish-workflow branch July 10, 2026 12:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

2 participants