feat: support all npm 3rd party flags

Author: GauBen

.yarnrc.yml

@@ -17,6 +17,8 @@ initScope: yarnpkg
 
 npmPublishAccess: public
 
+npmPublishProvenance: true
+
 packageExtensions:
   "@codemirror/lang-html@*":
     dependencies:

packages/docusaurus/static/configuration/manifest.json

@@ -362,6 +362,11 @@
           "format": "uri-reference",
           "examples": ["./build/index.mjs"]
         },
+        "provenance": {
+          "title": "Define whether to produce a provenance statement for the package when publishing. Overrides all other provenance settings.",
+          "type": "boolean",
+          "examples": [true]
+        },
         "registry": {
           "description": "If present, will replace whatever registry is defined in the configuration when the package is about to be pushed to a remote location.",
           "type": "string",

packages/docusaurus/static/configuration/yarnrc.json

@@ -529,9 +529,16 @@
       "_package": "@yarnpkg/plugin-npm-cli",
       "type": "string",
       "title": "Define the default access to use when publishing packages to the npm registry.",
-      "description": "Valid values are `public` and `restricted`, but `restricted` usually requires to register for a paid plan (this is up to the registry you use). Can be overridden on a per-package basis using the `publishConfig.access` field.",
+      "description": "Valid values are `public` and `restricted`, but `restricted` usually requires to register for a paid plan (this is up to the registry you use). Can be overridden on a per-package basis using the [`publishConfig.access`](manifest#publishConfig.access) field.",
       "enum": ["public", "restricted"]
     },
+    "npmPublishProvenance": {
+      "_package": "@yarnpkg/plugin-npm-cli",
+      "title": "Define whether to attach a provenance statement when publishing packages to the npm registry.",
+      "description": "If true, Yarn will generate and publish the provenance information when publishing packages. Can be overridden on a per-package basis using the [`publishConfig.provenance`](manifest#publishConfig.provenance) field.",
+      "type": "boolean",
+      "default": false
+    },
     "npmAuditExcludePackages": {
       "_package": "@yarnpkg/plugin-npm-cli",
       "title": "Array of package name glob patterns to exclude from `yarn npm audit`.",

packages/plugin-npm-cli/sources/commands/npm/publish.ts

@@ -43,7 +43,7 @@ export default class NpmPublishCommand extends BaseCommand {
   });
 
   provenance = Option.Boolean(`--provenance`, false, {
-    description: `Generate provenance for the package. Only available in GitHub Actions and GitLab CI.`,
+    description: `Generate provenance for the package. Only available in GitHub Actions and GitLab CI. Can be set globally through the \`npmPublishProvenance\` setting or the \`NPM_CONFIG_PROVENANCE\` environment variable, or per-package through the \`publishConfig.provenance\` field in package.json.`,
   });
 
   async execute() {
@@ -106,12 +106,32 @@ export default class NpmPublishCommand extends BaseCommand {
         const buffer = await miscUtils.bufferStream(pack);
 
         const gitHead = await npmPublishUtils.getGitHead(workspace.cwd);
+
+        let provenance = false;
+        if (workspace.manifest.publishConfig && `provenance` in workspace.manifest.publishConfig) {
+          provenance = Boolean(workspace.manifest.publishConfig.provenance);
+          if (provenance) {
+            report.reportInfo(null, `Generating provenance statement because \`publishConfig.provenance\` field is set.`);
+          } else {
+            report.reportInfo(null, `Skipping provenance statement because \`publishConfig.provenance\` field is set to false.`);
+          }
+        } else if (this.provenance) {
+          provenance = true;
+          report.reportInfo(null, `Generating provenance statement because \`--provenance\` flag is set.`);
+        } else if (process.env.NPM_CONFIG_PROVENANCE) {
+          provenance = true;
+          report.reportInfo(null, `Generating provenance statement because \`NPM_CONFIG_PROVENANCE\` env var is set.`);
+        } else if (configuration.get(`npmPublishProvenance`)) {
+          provenance = true;
+          report.reportInfo(null, `Generating provenance statement because \`npmPublishProvenance\` setting is set.`);
+        }
+
         const body = await npmPublishUtils.makePublishBody(workspace, buffer, {
           access: this.access,
           tag: this.tag,
           registry,
           gitHead,
-          provenance: this.provenance,
+          provenance,
         });
 
         await npmHttpUtils.put(npmHttpUtils.getIdentUrl(ident), body, {

packages/plugin-npm-cli/sources/index.ts

@@ -27,6 +27,7 @@ export {NpmWhoamiCommand};
 declare module '@yarnpkg/core' {
   interface ConfigurationValueMap {
     npmPublishAccess: string | null;
+    npmPublishProvenance: boolean;
     npmAuditExcludePackages: Array<string>;
     npmAuditIgnoreAdvisories: Array<string>;
   }
@@ -39,6 +40,11 @@ const plugin: Plugin = {
       type: SettingsType.STRING,
       default: null,
     },
+    npmPublishProvenance: {
+      description: `Whether to generate provenance for the published packages`,
+      type: SettingsType.BOOLEAN,
+      default: false,
+    },
     npmAuditExcludePackages: {
       description: `Array of glob patterns of packages to exclude from npm audit`,
       type: SettingsType.STRING,

packages/yarnpkg-core/sources/Manifest.ts

@@ -28,13 +28,14 @@ export interface PeerDependencyMeta {
 
 export interface PublishConfig {
   access?: string;
+  bin?: Map<string, PortablePath>;
+  browser?: PortablePath | Map<PortablePath, boolean | PortablePath>;
+  executableFiles?: Set<PortablePath>;
   main?: PortablePath;
   module?: PortablePath;
-  type?: string;
-  browser?: PortablePath | Map<PortablePath, boolean | PortablePath>;
-  bin?: Map<string, PortablePath>;
+  provenance?: boolean;
   registry?: string;
-  executableFiles?: Set<PortablePath>;
+  type?: string;
 }
 
 export interface InstallConfig {