Skip to content

Commit

Permalink
fix: add provenance publish notice
Browse files Browse the repository at this point in the history 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
  • Loading branch information
@bdehamer
bdehamer committed Mar 14, 2023
1 parent 618c1ba commit 1ecf2d8
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 0 deletions.
13 changes: 13 additions & 0 deletions workspaces/libnpmpublish/lib/publish.js
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
const { fixer } = require('normalize-package-data')
const npmFetch = require('npm-registry-fetch')
const npa = require('npm-package-arg')
const log = require('proc-log')
const semver = require('semver')
const { URL } = require('url')
const ssri = require('ssri')
const ciInfo = require('ci-info')

const { generateProvenance } = require('./provenance')

const TLOG_BASE_URL = 'https://rekor.sigstore.dev/api/v1/log/entries'

const publish = async (manifest, tarballData, opts) => {
if (manifest.private) {
throw Object.assign(
Expand Down Expand Up @@ -169,6 +172,16 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => {
}
const provenanceBundle = await generateProvenance([subject], opts)

/* eslint-disable-next-line max-len */
log.notice('publish', 'Signed provenance statement with source and build information from GitHub Actions')

const tlogEntry = provenanceBundle?.verificationMaterial?.tlogEntries[0]
/* istanbul ignore else */
if (tlogEntry) {
const logUrl = `${TLOG_BASE_URL}?logIndex=${tlogEntry.logIndex}`
log.notice('publish', `Provenance statement published to transparency log: ${logUrl}`)
}

const serializedBundle = JSON.stringify(provenanceBundle)
root._attachments[provenanceBundleName] = {
content_type: provenanceBundle.mediaType,
Expand Down
1 change: 1 addition & 0 deletions workspaces/libnpmpublish/package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@
"normalize-package-data": "^5.0.0",
"npm-package-arg": "^10.1.0",
"npm-registry-fetch": "^14.0.3",
"proc-log": "^3.0.0",
"semver": "^7.3.7",
"sigstore": "^1.0.0",
"ssri": "^10.0.1"
Expand Down

0 comments on commit 1ecf2d8

Please sign in to comment.