Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: add provenance publish notice #6247

Merged
merged 1 commit into from
Mar 14, 2023
Merged

fix: add provenance publish notice #6247

merged 1 commit into from
Mar 14, 2023

Conversation

bdehamer
Copy link
Contributor

@bdehamer bdehamer commented Mar 13, 2023

Adds a notice in libnpmpublish which let's the user know that a provenance statement was published for their package.

End result will look something like this:

npm notice 
npm notice 📦  @ps-testing/dummy-provenance@1.0.0-4420104616.1
npm notice === Tarball Contents === 
npm notice 1.1kB LICENSE     
npm notice 711B  README.md   
npm notice 28B   index.js    
npm notice 487B  package.json
npm notice === Tarball Details === 
npm notice name:          @ps-testing/dummy-provenance                      
npm notice version:       1.0.0-4420104616.1                                
npm notice filename:      ps-testing-dummy-provenance-1.0.0-4420104616.1.tgz
npm notice package size:  1.4 kB                                            
npm notice unpacked size: 2.3 kB                                            
npm notice shasum:        63c71e9871ff36942[78](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:79)f3e3a5c[83](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:84)e4bd66f9018c          
npm notice integrity:     sha512-ynvxGJyOxZAA3[...]fzrPMYTLtj6DQ==          
npm notice total files:   4                                                 
npm notice 
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://rekor.sigstore.dev/api/v1/log/entries?logIndex=15428[84](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:85)4

@bdehamer bdehamer requested a review from feelepxyz March 13, 2023 21:41
Comment on lines 12 to 13
const TLOG_BASE_URL = 'https://rekor.tlog.dev'

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@feelepxyz it seems unlikely that we're gonna have our tlog UI stood-up in time to get this into the CLI. Should we just omit the URL?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we won't have this UI stood up in time. Maybe ok to link to the API entry for now, e.g. https://rekor.sigstore.dev/api/v1/log/entries?logIndex=1 - loading it up is not user friendly but at least shows where we've published it to.

Maybe we could also say something about generating/signing it with metadata from GHA?

Signed provenance statement with source and build information from GitHub Actions
Provenance statement published to transparency log: https://rekor.sigstore.dev/api/v1/log/entries?logIndex=xx

@steiza @MylesBorins thoughts on what we should say in the CLI output when publishing with provenance?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 What @feelepxyz suggests sounds good to me!

As we add support for other CI/CD providers, will we have the necessary context at this point in the code to correctly attribute the CI/CD provider used?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will we have the necessary context at this point in the code to correctly attribute the CI/CD provider used?

I think so as we'll need to detect the CI system in order to figure out if it's supported.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

create-node-pr.yml

@bdehamer bdehamer force-pushed the bdehamer/publish-message branch 2 times, most recently from c370ef3 to 1ecf2d8 Compare March 14, 2023 15:24
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the bdehamer/publish-message branch from 1ecf2d8 to a709b68 Compare March 14, 2023 16:32
@bdehamer bdehamer marked this pull request as ready for review March 14, 2023 16:51
@bdehamer bdehamer requested a review from a team as a code owner March 14, 2023 16:51
@bdehamer bdehamer requested review from fritzy and removed request for a team March 14, 2023 16:51
Copy link
Contributor

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

@nlf nlf merged commit 4622b42 into latest Mar 14, 2023
@nlf nlf deleted the bdehamer/publish-message branch March 14, 2023 21:14
@github-actions github-actions bot mentioned this pull request Mar 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants