Configure npm provenance statements #132
Conversation
|
Open to adding it but last I checked this didn't work: Unfortunately my current automation creates the release commit and tag off of the preceding commit (because thats a tedious process and I want to make sure its done consistently) and npm provenance statements don't work unless the action runner was triggered directly off of the commit hash that is requesting the provenance statement. I was thinking I could add a two-step action: create the release commit and tags with the changelog, and then trigger a subsequent action run on that specific commit which performs the npm release, then provenance would work. But it has drawbacks:
I'll try to revisit this, but in the meantime here is what this module does implement security wise:
Thats probably more words that you need but thats my current brain dump on the issue. |
|
Ah interesting. Are you sure the provenance check won't work with the manual dispatch trigger and still sign it with a link back to the job that ran and some All sounds good though. I thought this would be a quick win. Feel free to close this 🙂 |
|
We can leave open for a bit to provide motivation to look into it again. I convinced myself Provenance was another DOA npm feature launch back when it first came out, but I should revisit to make sure my assumptions are still correct. |
|
@bcomnes I think we can merge this 👍 Provenance would be good |
|
@voxpelli I don't think it will work as written though. Need to test it out and or change the automation flow to accommodate provenance. I don't think it likes it when providence is signed in an action run thats different than the release commit. |
See https://docs.npmjs.com/generating-provenance-statements
It signs the release linking it back to the github action run that built it.
Might be worth adding a new option to
bcomnes/npm-bumpbut went with this for now.