-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Add GitLab CI provenance #6375
Merged
Merged
Commits on May 4, 2023
-
libnpmpublish: Add GitLab CI provenance.
This is a first pass at provenance generation for GitLab CI. This is based loosely off of existing GitLab provenance documents: https://about.gitlab.com/blog/2022/11/30/achieve-slsa-level-2-compliance-with-gitlab/ https://gist.github.com/wlynch/c7fd8f53adc77d3c0ec82356e4d43cb5 Currently this pulls values from environment variables. I'm aware we want to pull this data from authenticated JWTs for GitHub provenance, but I don't know what is in flight so I am starting here for now, marking as v1alpha1 until we have more confidence in the provenance spec.
Configuration menu - View commit details
-
Copy full SHA for 030956b - Browse repository at this point
Copy the full SHA 030956bView commit details -
libnpmpublish: [gitlab] un-refactor generate provenance, add check for
SIGSTORE_ID_TOKEN.
Configuration menu - View commit details
-
Copy full SHA for d22dcee - Browse repository at this point
Copy the full SHA d22dceeView commit details -
Configuration menu - View commit details
-
Copy full SHA for 0830de9 - Browse repository at this point
Copy the full SHA 0830de9View commit details -
Remove fallthrough case in provenance.js.
This case is already covered in publish.js, so it was recommended that this was removed.
Configuration menu - View commit details
-
Copy full SHA for cabf14f - Browse repository at this point
Copy the full SHA cabf14fView commit details -
Set GITHUB_ACTIONS environment variable to false in tests.
Current theory is that this is causing the tests to fail, since the library is picking up the real GitHub Actions runner when running in CI.
Configuration menu - View commit details
-
Copy full SHA for 19bbf76 - Browse repository at this point
Copy the full SHA 19bbf76View commit details -
Add additional pipeline data into environment.
This data probably shouldn't be in environment, but this is where similar data lives in the GitLab provenance spec today so it likely makes the most sense to co-locate.
Configuration menu - View commit details
-
Copy full SHA for 47c544d - Browse repository at this point
Copy the full SHA 47c544dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 2806562 - Browse repository at this point
Copy the full SHA 2806562View commit details
Commits on May 11, 2023
-
Remove CI_REPOSITORY_URL, CI_BUILD_REF.
CI_BUILD_REF doesn't actually exist, CI_REPOSITORY_URL contains an access token.
Configuration menu - View commit details
-
Copy full SHA for 3853fbc - Browse repository at this point
Copy the full SHA 3853fbcView commit details -
Remove GITLAB_USER_NAME, GITLAB_USER_EMAIL.
These values are a bit too much PII, so remove for now and only include GITLAB_USER_ID and GITLAB_USER_LOGIN.
Configuration menu - View commit details
-
Copy full SHA for 8b1257d - Browse repository at this point
Copy the full SHA 8b1257dView commit details
Commits on May 12, 2023
-
Configuration menu - View commit details
-
Copy full SHA for 3bb9bfb - Browse repository at this point
Copy the full SHA 3bb9bfbView commit details -
Configuration menu - View commit details
-
Copy full SHA for cd8a88d - Browse repository at this point
Copy the full SHA cd8a88dView commit details -
Configuration menu - View commit details
-
Copy full SHA for fcf02f9 - Browse repository at this point
Copy the full SHA fcf02f9View commit details
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.