feat(publish): enable package provenance by default on github actions (#22635)

4 files changed, 21 insertions, 32 deletions

diff --git a/cli/args/flags.rs b/cli/args/flags.rs
index 03e0c364c..ec4433f58 100644
--- a/cli/args/flags.rs
+++ b/cli/args/flags.rs
@@ -302,7 +302,7 @@ pub struct PublishFlags {
   pub token: Option<String>,
   pub dry_run: bool,
   pub allow_slow_types: bool,
-  pub provenance: bool,
+  pub no_provenance: bool,
 }
 
 #[derive(Clone, Debug, Eq, PartialEq)]
@@ -2404,9 +2404,9 @@ fn publish_subcommand() -> Command {
           .action(ArgAction::SetTrue),
       )
       .arg(
-        Arg::new("provenance")
-          .long("provenance")
-          .help("From CI/CD system, publicly links the package to where it was built and published from.")
+        Arg::new("no-provenance")
+          .long("no-provenance")
+          .help("Disable provenance attestation. Enabled by default on Github actions, publicly links the package to where it was built and published from.")
           .action(ArgAction::SetTrue)
       )
       .arg(check_arg(/* type checks by default */ true))
@@ -3860,7 +3860,7 @@ fn publish_parse(flags: &mut Flags, matches: &mut ArgMatches) {
     token: matches.remove_one("token"),
     dry_run: matches.get_flag("dry-run"),
     allow_slow_types: matches.get_flag("allow-slow-types"),
-    provenance: matches.get_flag("provenance"),
+    no_provenance: matches.get_flag("no-provenance"),
   });
 }
 
@@ -8580,6 +8580,7 @@ mod tests {
     let r = flags_from_vec(svec![
       "deno",
       "publish",
+      "--no-provenance",
       "--dry-run",
       "--allow-slow-types",
       "--token=asdf",
@@ -8591,26 +8592,7 @@ mod tests {
           token: Some("asdf".to_string()),
           dry_run: true,
           allow_slow_types: true,
-          provenance: false,
-        }),
-        type_check_mode: TypeCheckMode::Local,
-        ..Flags::default()
-      }
-    );
-  }
-
-  #[test]
-  fn publish_provenance_args() {
-    let r =
-      flags_from_vec(svec!["deno", "publish", "--provenance", "--token=asdf",]);
-    assert_eq!(
-      r.unwrap(),
-      Flags {
-        subcommand: DenoSubcommand::Publish(PublishFlags {
-          token: Some("asdf".to_string()),
-          dry_run: false,
-          allow_slow_types: false,
-          provenance: true,
+          no_provenance: true,
         }),
         type_check_mode: TypeCheckMode::Local,
         ..Flags::default()
diff --git a/cli/tools/registry/mod.rs b/cli/tools/registry/mod.rs
index b862ed6a6..4e1b9d5e1 100644
--- a/cli/tools/registry/mod.rs
+++ b/cli/tools/registry/mod.rs
@@ -470,7 +470,7 @@ async fn perform_publish(
   mut publish_order_graph: PublishOrderGraph,
   mut prepared_package_by_name: HashMap<String, Rc<PreparedPublishPackage>>,
   auth_method: AuthMethod,
-  provenance: bool,
+  no_provenance: bool,
 ) -> Result<(), AnyError> {
   let client = http_client.client()?;
   let registry_api_url = jsr_api_url().to_string();
@@ -531,7 +531,7 @@ async fn perform_publish(
           &registry_api_url,
           &registry_url,
           &authorization,
-          provenance,
+          no_provenance,
         )
         .await
         .with_context(|| format!("Failed to publish {}", display_name))?;
@@ -558,7 +558,7 @@ async fn publish_package(
   registry_api_url: &str,
   registry_url: &str,
   authorization: &str,
-  provenance: bool,
+  no_provenance: bool,
 ) -> Result<(), AnyError> {
   let client = http_client.client()?;
   println!(
@@ -665,8 +665,12 @@ async fn publish_package(
     package.version
   );
 
-  if provenance {
-    // Get the version manifest from JSR
+  let enable_provenance = std::env::var("DISABLE_JSR_PROVENANCE").is_err()
+    || (auth::is_gha() && auth::gha_oidc_token().is_some() && !no_provenance);
+
+  // Enable provenance by default on Github actions with OIDC token
+  if enable_provenance {
+    // Get the version manifest from the registry
     let meta_url = jsr_url().join(&format!(
       "@{}/{}/{}_meta.json",
       package.scope, package.package, package.version
@@ -942,7 +946,7 @@ pub async fn publish(
     prepared_data.publish_order_graph,
     prepared_data.package_by_name,
     auth_method,
-    publish_flags.provenance,
+    publish_flags.no_provenance,
   )
   .await?;
 
diff --git a/tests/integration/publish_tests.rs b/tests/integration/publish_tests.rs
index 4199c924f..befd3826e 100644
--- a/tests/integration/publish_tests.rs
+++ b/tests/integration/publish_tests.rs
@@ -166,7 +166,7 @@ itest!(successful {
 });
 
 itest!(provenance {
-  args: "publish --provenance",
+  args: "publish",
   output: "publish/successful_provenance.out",
   cwd: Some("publish/successful"),
   envs: env_vars_for_jsr_provenance_tests(),
diff --git a/tests/util/server/src/lib.rs b/tests/util/server/src/lib.rs
index c65526ca3..e06ba2b39 100644
--- a/tests/util/server/src/lib.rs
+++ b/tests/util/server/src/lib.rs
@@ -60,12 +60,14 @@ pub fn env_vars_for_npm_tests() -> Vec<(String, String)> {
 pub fn env_vars_for_jsr_tests() -> Vec<(String, String)> {
   vec![
     ("JSR_URL".to_string(), jsr_registry_url()),
+    ("DISABLE_JSR_PROVENANCE".to_string(), "true".to_string()),
     ("NO_COLOR".to_string(), "1".to_string()),
   ]
 }
 
 pub fn env_vars_for_jsr_provenance_tests() -> Vec<(String, String)> {
   let mut envs = env_vars_for_jsr_tests();
+  envs.retain(|(key, _)| key != "DISABLE_JSR_PROVENANCE");
   envs.extend(vec![
     ("REKOR_URL".to_string(), rekor_url()),
     ("FULCIO_URL".to_string(), fulcio_url()),
@@ -112,6 +114,7 @@ pub fn env_vars_for_jsr_npm_tests() -> Vec<(String, String)> {
   vec![
     ("NPM_CONFIG_REGISTRY".to_string(), npm_registry_url()),
     ("JSR_URL".to_string(), jsr_registry_url()),
+    ("DISABLE_JSR_PROVENANCE".to_string(), "true".to_string()),
     ("NO_COLOR".to_string(), "1".to_string()),
   ]
 }