fix: add npm provenance and fix core peer dependency version

Add --provenance flag to npm publish for supply chain security. Add id-token: write permission to release workflow for OIDC-based provenance attestation. Fix MIN_CORE_VERSION to dynamically use current version instead of hardcoded ^8.0.2.
2026-03-25 00:00:14 +08:00 · 2026-03-21 16:04:30 -07:00
parent d45a4f766c
commit 6453f2ab78
2 changed files with 6 additions and 2 deletions
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -9,6 +9,7 @@ permissions:
  contents: write
  pull-requests: write
  issues: write
+  id-token: write

 jobs:
  release-please:
@@ -30,6 +31,9 @@ jobs:
    runs-on: ubuntu-latest
    needs: release-please
    if: ${{ needs.release-please.outputs.release_created }}
+    permissions:
+      contents: read
+      id-token: write
    steps:
      - uses: actions/checkout@v4.3.1

--- a/scripts/tasks/publish.ts
+++ b/scripts/tasks/publish.ts
@@ -11,7 +11,7 @@ import { Logger } from '../logger';

 const MAIN_PACKAGE_JSON = JSON.parse(readFileSync(resolve(__dirname, '../../package.json'), 'utf-8'));
 const VERSION = MAIN_PACKAGE_JSON.version;
-const FLAGS = '--access public';
+const FLAGS = '--access public --provenance';

 const PACKAGE_JSON_BASE = {
  description: 'Awesome Cordova Plugins - Native plugins for ionic apps',
@@ -44,7 +44,7 @@ const DIST = resolve(ROOT, 'dist/@awesome-cordova-plugins');

 const PACKAGES = [];

-const MIN_CORE_VERSION = '^8.0.2';
+const MIN_CORE_VERSION = '^' + VERSION;
 const RXJS_VERSION = '^5.5.0 || ^6.5.0 || ^7.3.0';

 const PLUGIN_PEER_DEPENDENCIES = {