Skip to content

gar/provenance pr #6162

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 13, 2023
Merged

gar/provenance pr #6162

merged 2 commits into from
Feb 13, 2023

Conversation

wraithgar
Copy link
Member

@wraithgar wraithgar commented Feb 13, 2023
edited
Loading

  • feat: add provenance attestation
  • fix: refactor error reporting in audit command
@wraithgar wraithgar requested a review from a team as a code owner February 13, 2023 18:15
@wraithgar wraithgar requested review from fritzy and removed request for a team February 13, 2023 18:15
@wraithgar
Copy link
Member Author

This is the actual PR to land for provenance. We are doing it this way so that the provenance branch does not get removed when the PR is landed.
github-advanced-security[bot]
github-advanced-security bot found potential problems Feb 13, 2023
View reviewed changes
workspaces/libnpmpublish/test/publish.js

t.test('publish existing package with provenance in gha', async t => {
const oidcURL = 'https://mock.oidc'
const requestToken = 'decafbad'

Check failure

Code scanning / CodeQL

Hard-coded credentials

The hard-coded value "decafbad" is used as [authorization header](1).
@npm-cli-bot
Copy link
Collaborator

npm-cli-bot commented Feb 13, 2023
edited
Loading

no statistically significant performance changes detected

timing results
app-large clean lock-only cache-only cache-only
peer-deps		 modules-only no-lock no-cache no-modules no-clean no-clean
audit
npm@8 43.375 ±2.00 26.198 ±0.43 23.306 ±0.95 27.565 ±0.96 4.126 ±0.01 4.112 ±0.06 3.329 ±0.03 17.102 ±0.00 3.329 ±0.09 4.835 ±0.13
#6162 44.142 ±2.60 25.583 ±0.10 23.393 ±0.17 27.403 ±0.17 4.132 ±0.00 4.094 ±0.15 3.177 ±0.01 16.570 ±0.02 3.240 ±0.02 4.839 ±0.24
app-medium clean lock-only cache-only cache-only
peer-deps		 modules-only no-lock no-cache no-modules no-clean no-clean
audit
npm@8 31.594 ±0.37 19.565 ±0.27 17.953 ±0.03 19.114 ±0.01 3.856 ±0.05 3.866 ±0.13 3.460 ±0.00 12.413 ±0.08 3.240 ±0.02 4.558 ±0.09
#6162 31.373 ±0.95 19.201 ±0.07 17.951 ±0.11 19.293 ±0.16 3.905 ±0.03 3.919 ±0.18 3.358 ±0.17 12.666 ±0.03 3.203 ±0.15 4.416 ±0.10
ljharb
ljharb reviewed Feb 13, 2023
View reviewed changes
@bdehamer @wraithgar
feat: add provenance attestation
1f4c7ea 
This adds a new `--provenance` flag to npm for provenance attestation during `npm publish` If set to `true`, npm will detect if it is running in GitHub actions and will generate an appropriate attestation bundle for that environment. The primary work in this PR was done by [@bdehamer](https://github.com/bdehamer), with some cleanup and edge-case handling added by the npm cli team.
@wraithgar wraithgar force-pushed the gar/provenance-pr branch 2 times, most recently from b7778c8 to 43dd4d8 Compare February 13, 2023 19:02
ljharb
ljharb reviewed Feb 13, 2023
View reviewed changes
bdehamer
bdehamer approved these changes Feb 13, 2023
View reviewed changes
Copy link
Contributor

@bdehamer bdehamer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM 🎉
@wraithgar wraithgar merged commit ed59aae into latest Feb 13, 2023
@wraithgar wraithgar deleted the gar/provenance-pr branch February 13, 2023 21:34
@github-actions github-actions bot mentioned this pull request Feb 13, 2023
Merged
@npm-cli-bot npm-cli-bot mentioned this pull request Feb 15, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

4 participants

@wraithgar @npm-cli-bot @ljharb @bdehamer