Add Provenance Support
Closed this issue ยท 10 comments
Feature Request
Description
This allows you to publicly establish where a package was built and who published a package, which can increase supply-chain security for your packages.
This is a super easy publish command change.
Only a NPM parameter needs to be added to the existing publish pipeline. (by default)
Overview
Publish this package using only GitHub actions and enable Provenance to enable the ability cryptographically to attest that the package hasn't been tampered with during build, publish, and transport.
This can be done via npm audit signatures automatically.
NPM Docs:
https://docs.npmjs.com/generating-provenance-statements
Examples
Before: npm publish
After: npm publish --provenance
Consuming attestation signatures:
https://docs.npmjs.com/generating-provenance-statements#verifying-provenance-attestations
Implementation Tracker
- Migrate Publish Process to GitHub Actions #1262
- Enable Provenance Attestation in the GH Actions publish workflow
PR
Requested Change - #1281
typia/deploy/internal/DeployRunner.ts
Line 72 in cd6ed78
You can accomplish it just by updating the above line.
Will you try PR?
I'm absolutely happy to do a pr, just want to double check, does the above code get executed inside of a GitHub action runner?
If so, which workflow does it run in?
I need to make sure that the ID token is enabled for attestation in the workflow
@elliot-huffman
I think he publish this package from his local machine.
We need to configure GitHub Actions first.
@elliot-huffman
Also, I'm working on making this repo as a monorepo using pnpm.
#1065
@elliot-huffman I think he publish this package from his local machine. We need to configure GitHub Actions first.
I can build the GH Actions version of publish.
@samchon, are you ok with me writing a GH Actions pipeline to publish your project when a GH Release is created? (as a PR)
For reference on what I am thinking about making a PR for, take a peek at and tell me what you think:
https://github.com/Software-Hardware-Integration-Lab/ObjectID-Converter/blob/main/.github/workflows/NPM-Publish.yml
Now that provenance is enabled, would I be able to request that you run a deploy/publish from the GH Actions so that we have a new version with the provenance?
@elliot-huffman There's an error on typia.llm.application<App>() function about asynchrounous member method.
I'll test it after fixing the bug. The job would be completed in 2 hours.
Thanks for contribution.
Thanks for the heads up, can't wait!
https://github.com/samchon/typia/blob/master/.github/workflows/release.yml
Refactored your workflow file to be concised, and made it to work only when releasing with latest tag.
It's the reason why next tag packing, it need to be executed manually by myself due to dependent libraries like nestia.
The changed publish workflow file is on testing. Thanks for your guidance @elliot-huffman.
