(libnpmpublish) GitLab CI provenance #6373
Comments
|
Great, thanks! You'll notice the existing provenance.js file in libnpmpublish is very single-use. This was intentional because it isn't until we support more than one environment that we even know what we need to abstract. Does ci-info detect GitLab sufficiently? If so then the first step is adding GitLab to this if statement and its thrown error message. After that this if statement will need to only apply when in GitHub, and a new one will need to be added to do a best-attempt at making sure the current GitLab environment is going to succeed at building a provenance attestation. This is mostly for user experience and is not intended to be a security measure. It's so that the error npm gives is as helpful as possible. After that I think we just have an if statement in provenance.js that builds what it does now if ci-info says it's GitHub, and a new response if it's GitLab. Don't bother trying to abstract or DRY it up, it's just two branches right now we'll be fine. Does that give you a good place to start from? We can work through the tests once the code exists. Open a PR whenever you want feedback. |
|
Do we need to keep this open? Now that there is a |
I'm interested in contributing provenance generation for GitLab CI, similar to existing GitHub Actions provenance support - https://github.com/npm/cli/blob/latest/workspaces/libnpmpublish/lib/provenance.js.
Initial GitLab OIDC support has been added to sigstore-js: sigstore/sigstore-js#394, so all we should need to do here is add provenance generation when running in a GitLab environment.
GitLab issue: https://gitlab.com/gitlab-com/Product/-/issues/5632
cc @marshall007 @bdehamer
The text was updated successfully, but these errors were encountered: