Skip to content

fix: add provenance publish notice#6247

Merged
nlf merged 1 commit intolatestfrom
bdehamer/publish-message
Mar 14, 2023
Merged

fix: add provenance publish notice#6247
nlf merged 1 commit intolatestfrom
bdehamer/publish-message

Conversation

@bdehamer
Copy link
Contributor

@bdehamer bdehamer commented Mar 13, 2023
edited
Loading

Adds a notice in libnpmpublish which let's the user know that a provenance statement was published for their package.

End result will look something like this:

npm notice 
npm notice 📦  @ps-testing/[email protected]
npm notice === Tarball Contents === 
npm notice 1.1kB LICENSE     
npm notice 711B  README.md   
npm notice 28B   index.js    
npm notice 487B  package.json
npm notice === Tarball Details === 
npm notice name:          @ps-testing/dummy-provenance                      
npm notice version:       1.0.0-4420104616.1                                
npm notice filename:      ps-testing-dummy-provenance-1.0.0-4420104616.1.tgz
npm notice package size:  1.4 kB                                            
npm notice unpacked size: 2.3 kB                                            
npm notice shasum:        63c71e9871ff36942[78](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:79)f3e3a5c[83](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:84)e4bd66f9018c          
npm notice integrity:     sha512-ynvxGJyOxZAA3[...]fzrPMYTLtj6DQ==          
npm notice total files:   4                                                 
npm notice 
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm notice publish Signed provenance statement with source and build information from GitHub Actions
npm notice publish Provenance statement published to transparency log: https://rekor.sigstore.dev/api/v1/log/entries?logIndex=15428[84](https://github.com/npm/provenance-tests/actions/runs/4420104616/jobs/7749380920#step:8:85)4

@bdehamer bdehamer requested a review from feelepxyz March 13, 2023 21:41
bdehamer
bdehamer commented Mar 13, 2023
View reviewed changes
workspaces/libnpmpublish/lib/publish.js Outdated
Comment on lines +12 to +13
const TLOG_BASE_URL = 'https://rekor.tlog.dev'

Copy link
Contributor Author

@bdehamer bdehamer Mar 13, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@feelepxyz it seems unlikely that we're gonna have our tlog UI stood-up in time to get this into the CLI. Should we just omit the URL?

Copy link
Contributor

@feelepxyz feelepxyz Mar 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah we won't have this UI stood up in time. Maybe ok to link to the API entry for now, e.g. https://rekor.sigstore.dev/api/v1/log/entries?logIndex=1 - loading it up is not user friendly but at least shows where we've published it to.

Maybe we could also say something about generating/signing it with metadata from GHA?

Signed provenance statement with source and build information from GitHub Actions
Provenance statement published to transparency log: https://rekor.sigstore.dev/api/v1/log/entries?logIndex=xx

@steiza @MylesBorins thoughts on what we should say in the CLI output when publishing with provenance?

Copy link
Member

@steiza steiza Mar 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 What @feelepxyz suggests sounds good to me!

As we add support for other CI/CD providers, will we have the necessary context at this point in the code to correctly attribute the CI/CD provider used?

Copy link
Contributor

@feelepxyz feelepxyz Mar 14, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

will we have the necessary context at this point in the code to correctly attribute the CI/CD provider used?

I think so as we'll need to detect the CI system in order to figure out if it's supported.

Copy link

@Larry260194 Larry260194 Mar 19, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

create-node-pr.yml

@bdehamer bdehamer force-pushed the bdehamer/publish-message branch 2 times, most recently from c370ef3 to 1ecf2d8 Compare March 14, 2023 15:24
@bdehamer bdehamer force-pushed the bdehamer/publish-message branch from 1ecf2d8 to a709b68 Compare March 14, 2023 16:32
@bdehamer bdehamer marked this pull request as ready for review March 14, 2023 16:51
@bdehamer bdehamer requested a review from a team as a code owner March 14, 2023 16:51
@bdehamer bdehamer requested review from fritzy and removed request for a team March 14, 2023 16:51
feelepxyz
feelepxyz approved these changes Mar 14, 2023
View reviewed changes
Copy link
Contributor

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

@nlf nlf merged commit 4622b42 into latest Mar 14, 2023
@nlf nlf deleted the bdehamer/publish-message branch March 14, 2023 21:14
@github-actions github-actions bot mentioned this pull request Mar 14, 2023
Merged
@npm-cli-bot npm-cli-bot mentioned this pull request Mar 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fritzy fritzy Awaiting requested review from fritzy fritzy is a code owner automatically assigned from npm/cli-team

4 more reviewers

@steiza steiza steiza left review comments

@Larry260194 Larry260194 Larry260194 left review comments

@feelepxyz feelepxyz feelepxyz approved these changes

@nlf nlf nlf approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@bdehamer @feelepxyz @steiza @nlf @Larry260194