Skip to content

Support publishing packages with provenance #1161

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Feb 14, 2025
Merged

Support publishing packages with provenance #1161

merged 3 commits into from
Feb 14, 2025

Conversation

@Yang-33
Copy link
Contributor

@Yang-33 Yang-33 commented Feb 12, 2025
edited
Loading

By enabling the --provenance flag during npm publish, our package now includes a verifiable record of its build process, enhancing supply chain security. This helps others confirm the authenticity and integrity of the package, ensuring greater trustworthiness in the ecosystem.

See

@Yang-33
Copy link
Contributor Author

Yang-33 commented Feb 12, 2025

I'm not sure if this works, so please proceed other releases. After all releases are completed, I'll merge this change and test publishing.

@Yang-33 Yang-33 requested a review from a team February 12, 2025 14:32
@Yang-33 Yang-33 marked this pull request as draft February 12, 2025 14:36
@Yang-33 Yang-33 removed the request for review from a team February 12, 2025 14:36
@Yang-33
Copy link
Contributor Author

Yang-33 commented Feb 12, 2025

I'll look into it a bit more to ensure that this build step is acceptable for publish with the provenance, as my understanding is still a bit unclear.

line-bot-sdk-nodejs/.github/workflows/release.yml

Lines 22 to 34 in d4ee02c

- name: Update version in package.json, package-lock.json, and lib/version.ts
run: |
if [ "${{ github.event_name }}" == "workflow_dispatch" ]; then
VERSION=${{ github.event.inputs.version }}
else
VERSION=${{ github.event.release.tag_name }}
fi
VERSION=${VERSION#v}
echo "VERSION=$VERSION" >> $GITHUB_ENV
node ./scripts/update-version.mjs $VERSION
- run: npm run release
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_2 }}

@Yang-33
Copy link
Contributor Author

Yang-33 commented Feb 14, 2025

ok, changing certain files before publishing may not be an issue. We only modify metadata, leaving core functionality unchanged, and this process is documented in our release workflow, ensuring transparency and reproducibility.

@Yang-33 Yang-33 marked this pull request as ready for review February 14, 2025 07:48
@Yang-33 Yang-33 requested a review from a team February 14, 2025 07:48
@Yang-33 Yang-33 force-pushed the users/yuta-kasai/publish-packages-with-provenance branch from 4cfe2c8 to dd24ce3 Compare February 14, 2025 07:50
@Yang-33 Yang-33 merged commit 3a0b18f into line:master Feb 14, 2025
6 checks passed
@Yang-33 Yang-33 deleted the users/yuta-kasai/publish-packages-with-provenance branch February 14, 2025 08:17
@Yang-33
Copy link
Contributor Author

Yang-33 commented Feb 14, 2025

Result

(1) sigstore log: https://search.sigstore.dev/?logIndex=171258206
(2) npm shows verification mark
image

(3) npm shows some detailed info in Provenance section: https://www.npmjs.com/package/@line/bot-sdk/v/9.7.1#provenance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@habara-k habara-k habara-k approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Yang-33 @habara-k