chore: update NPM publishing

ryjones · ryjones · commit a980fe118720 · 2025-09-26T19:41:21.000-07:00
Signed-off-by: Ry Jones &lt;ry@linux.com&gt;
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -9,16 +9,31 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+"
       - "v[0-9]+.[0-9]+.[0-9]+-*"
 
+# ---- Global permissions for Trusted Publishing & attestations ----
+# id-token:write is required for OIDC (npm trusted publishing, keyless attestations)
+# packages:write for GHCR; attestations:write for GitHub artifact attestations (optional but recommended)
+permissions:
+  contents: read
+  packages: write
+  id-token: write
+  attestations: write
+
 env:
   IMAGE_NAME: ${{ github.repository_owner }}/fabric-nodeenv
 
 jobs:
   test:
     uses: ./.github/workflows/test.yaml
 
+  # =============== npm (Trusted Publisher via OIDC) ==================
+  # Pre-req (one-time): In npm, enable "Trusted publishing" for the package
+  # and link this repo/workflow. Then you no longer need NPM_TOKEN.  [oai_citation:0‡npm Docs](https://docs.npmjs.com/trusted-publishers/?utm_source=chatgpt.com)
   publishnpm:
     runs-on: ubuntu-24.04
     needs: test
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
@@ -28,21 +43,24 @@ jobs:
         with:
           name: node-tgzs
           path: build/
-      - run: |
+      - name: Publish packages with provenance (OIDC)
+        # No NODE_AUTH_TOKEN needed when Trusted Publishing is enabled.
+        # --provenance tells npm to attach SLSA provenance to the package.  [oai_citation:1‡The GitHub Blog](https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/?utm_source=chatgpt.com)
+        run: |
           set -xev
           ls -lart build/
           cd build
-          find . -type f -name 'fabric-*.tgz' -exec npm publish {} \;
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          find . -type f -name 'fabric-*.tgz' -print0 | xargs -0 -I{} npm publish {} --provenance --access public
 
+  # ========= Build & push per-arch images (with provenance/SBOM) =========
   docker-build-push:
-    name: Push Docker image
+    name: Build & Push Docker image (per-arch)
     needs: test
     runs-on: ${{ matrix.arch.runner }}
     permissions:
       contents: read
-      packages: write
+      packages: write     # for ghcr.io
+      id-token: write     # for provenance/attestations
     strategy:
       fail-fast: false
       matrix:
@@ -53,50 +71,68 @@ jobs:
             runner: ubuntu-24.04-arm
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
       - name: Get commit timestamp
         run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
-      - name: Login to GitHub Container Registry
+
+      # ---- GHCR login via GITHUB_TOKEN (already short-lived/trusted) ----
+      - name: Login to GitHub Container Registry (ghcr.io)
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
+
+      # ---- Optional: Docker Hub login (kept for now) ----
+      # If your Docker Hub org enables its own trusted/OIDC flow later, you can
+      # replace this with that method; until then PAT is required.  [oai_citation:2‡Docker Documentation](https://docs.docker.com/docker-hub/image-library/trusted-content/?utm_source=chatgpt.com)
       - name: Login to Docker Hub
+        if: ${{ secrets.DOCKERHUB_USERNAME && secrets.DOCKERHUB_TOKEN }}
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: docker.io
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
-      - name: Build image
+
+      - name: Build image (per-arch) with provenance + SBOM
         id: build
         uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           file: docker/fabric-nodeenv/Dockerfile
           context: docker/fabric-nodeenv
+          platforms: ${{ matrix.arch.platform }}
+          # Generate and attach provenance/SBOM at build time.  [oai_citation:3‡Docker Documentation](https://docs.docker.com/build/metadata/attestations/slsa-provenance/?utm_source=chatgpt.com)
+          provenance: true
+          sbom: true
           outputs: type=registry,"name=${{ format('ghcr.io/{0},docker.io/{0}', env.IMAGE_NAME) }}",push-by-digest=true,name-canonical=true
         env:
           SOURCE_DATE_EPOCH: ${{ env.SOURCE_DATE_EPOCH }}
+
       - name: Export digest
         run: |
           mkdir -p ${{ runner.temp }}/digests
           digest="${{ steps.build.outputs.digest }}"
           touch "${{ runner.temp }}/digests/${digest#sha256:}"
+
       - name: Upload digest
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: digest-${{ matrix.arch.platform }}
           path: ${{ runner.temp }}/digests/*
           if-no-files-found: error
 
+  # =============== Manifest + tags publishing ==================
   docker-meta:
     needs: docker-build-push
     name: Publish Docker metadata
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -110,12 +146,14 @@ jobs:
           path: ${{ runner.temp }}/digests
           pattern: digest-*
           merge-multiple: true
+
       - name: Login to ${{ matrix.registry }}
         uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         with:
           registry: ${{ matrix.registry }}
           username: ${{ matrix.registry == 'docker.io' && secrets.DOCKERHUB_USERNAME || github.actor }}
           password: ${{ matrix.registry == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}
+
       - name: Docker metadata
         id: meta
         uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
@@ -125,12 +163,15 @@ jobs:
             type=semver,pattern={{version}}
             type=semver,pattern={{major}}.{{minor}}
             type=semver,pattern={{major}}.{{minor}}.{{patch}}
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
+
       - name: Create and push manifest list
         working-directory: ${{ runner.temp }}/digests
         run: |
           docker buildx imagetools create $(jq -cr '.tags | map("--tag " + .) | join(" ")' <<< "${DOCKER_METADATA_OUTPUT_JSON}") \
             $(printf '${{ matrix.registry }}/${{ env.IMAGE_NAME }}@sha256:%s ' *)
+
       - name: Inspect image
         run: docker buildx imagetools inspect '${{ matrix.registry }}/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}'
