From 8d98be46b920de0cdefa9c2d99d4a7a21f625834 Mon Sep 17 00:00:00 2001
From: Wesley Wigham <wewigham@microsoft.com>
Date: Tue, 25 Jun 2024 08:34:40 -0700
Subject: [PATCH 1/2] Enable Build Provenance for Nightly Builds

Maybe. This is pretty difficult (impossible?) to test outside of the CI environment itself. Ostensibly, this is all we should need for github actions, though.

cc @DanielRosenwasser who wanted to know what it'd take to enable this. For nightlies, at least, it's in theory not bad. For actual releases, it's likely a bit more complex, given our publishing and releasing pipeline.
---
 .github/workflows/nightly.yaml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index 0c18905734dbb..d1583d66bf01f 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 # Ensure scripts are run with pipefail. See:
 # https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
@@ -60,6 +61,6 @@ jobs:
           npx hereby configure-nightly
           npx hereby LKG
           node ./scripts/addPackageJsonGitHead.mjs package.json
-          npm publish --tag next
+          npm publish --provenance --access public --tag next
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}

From 7c86376355887d5d077c9f69e2f0f1c3156bb602 Mon Sep 17 00:00:00 2001
From: Wesley Wigham <wewigham@microsoft.com>
Date: Tue, 25 Jun 2024 09:00:44 -0700
Subject: [PATCH 2/2] Update .github/workflows/nightly.yaml

---
 .github/workflows/nightly.yaml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/nightly.yaml b/.github/workflows/nightly.yaml
index d1583d66bf01f..eabeb7b41b610 100644
--- a/.github/workflows/nightly.yaml
+++ b/.github/workflows/nightly.yaml
@@ -61,6 +61,10 @@ jobs:
           npx hereby configure-nightly
           npx hereby LKG
           node ./scripts/addPackageJsonGitHead.mjs package.json
+          npm --version
+          # update npm to latest for build provenance feature on publish
+          npm install -g npm
+          npm --version
           npm publish --provenance --access public --tag next
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}