Skip to content

Commit

Permalink
Enable supply chain security through npm provenance attestation
Browse files Browse the repository at this point in the history
- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs

Fixes: #60497
  • Loading branch information
pupapaik committed Nov 14, 2024
1 parent c043944 commit 6a25cf1
Show file tree
Hide file tree
Showing 2 changed files with 6 additions and 2 deletions.
4 changes: 3 additions & 1 deletion .github/workflows/insiders.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,8 @@ on:

permissions:
contents: read
id-token: write
packages: write

# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
Expand Down Expand Up @@ -60,6 +62,6 @@ jobs:
npx hereby configure-insiders
npx hereby LKG
node ./scripts/addPackageJsonGitHead.mjs package.json
npm publish --tag insiders
npm publish --provenance --tag insiders
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}
4 changes: 3 additions & 1 deletion .github/workflows/nightly.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,8 @@ on:

permissions:
contents: read
id-token: write
packages: write

# Ensure scripts are run with pipefail. See:
# https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
Expand Down Expand Up @@ -60,6 +62,6 @@ jobs:
npx hereby configure-nightly
npx hereby LKG
node ./scripts/addPackageJsonGitHead.mjs package.json
npm publish --tag next
npm publish --provenance --tag next
env:
NODE_AUTH_TOKEN: ${{secrets.npm_token}}

0 comments on commit 6a25cf1

Please sign in to comment.