Skip to content

update to support npm provenance attestation #225

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

update to support npm provenance attestation #225

wants to merge 1 commit into from

Conversation

@KingOfTac
Copy link
Member

@KingOfTac KingOfTac commented Sep 6, 2024
edited
Loading

Pull Request

Description

This PR updates packages and the publish pipeline to support NPM's package signing capabilities.

This may not work due to beachball not supporting the --provenance flag yet, however npm provides alternative methods for enabling the feature here that I ended up using.

This is necessary to build and maintain trust with users as supply chain attacks become more prevalent in the ecosystem. We already use scoped packages which mitigates the risk, this just adds an extra layer.

Issues

Reviewer Notes

Test Plan

After the next release, check each publish package on npm to see if the provenance statement has been generated.

Checklist

General

  • I have included a change request file using $ npm run change
  • I have added tests for my changes.
  • I have tested my changes.
  • I have updated the project documentation to reflect my changes.
  • I have read the CONTRIBUTING documentation for this project.

Component-specific

  • I have added a new component
  • I have modified an existing component

⏭ Next Steps

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bheston bheston bheston approved these changes

@nicholasrice nicholasrice Awaiting requested review from nicholasrice nicholasrice is a code owner

@awentzel awentzel Awaiting requested review from awentzel awentzel is a code owner

Assignees

@KingOfTac KingOfTac

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@KingOfTac @bheston