ci(release): sign artifacts with Sigstore provenance + attestation#537
Open
oso0x34 wants to merge 1 commit into
Open
ci(release): sign artifacts with Sigstore provenance + attestation#537oso0x34 wants to merge 1 commit into
oso0x34 wants to merge 1 commit into
Conversation
The release publishes SHA256SUMS but nothing signs it, and `npm publish` runs without provenance — so neither install channel can prove a download came from this repo's build. A checksum published next to the artifact it describes proves integrity, not authenticity: whoever can replace the archive can replace the hash. This adds the missing authenticity layer. - release.yml: add id-token:write + attestations:write permissions; attest every release archive and SHA256SUMS via actions/attest-build-provenance@v2; add --provenance to npm publish. - pack-npm.sh: add the `repository` field the generated packages require for `npm publish --provenance` to succeed. - BUNDLING.md: document `gh attestation verify` and the npm provenance badge. No keys or secrets introduced — all signing uses the release job's OIDC identity via Sigstore. Verification is opt-in, so the dependency-free `curl | sh` path is unchanged. OS code signing (Gatekeeper/Authenticode) remains a separate TODO. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What & why
The release pipeline generates
SHA256SUMSand the npm shim verifies against it, but nothing is signed:SHA256SUMSis unsigned and lives in the same release as the artifacts, andnpm publishruns without--provenance. So neither install channel can prove a download actually came from this repo's build.A checksum published next to the artifact it describes proves integrity, not authenticity — anyone who can replace the archive can replace the hash. This PR adds the missing authenticity layer using Sigstore, with no keys or secrets to manage (everything uses the release job's OIDC identity).
Changes
.github/workflows/release.ymlid-token: write+attestations: writepermissions.SHA256SUMSviaactions/attest-build-provenance@v2.--provenancetonpm publish.scripts/pack-npm.sh— add therepositoryfield to the generated package.json files.npm publish --provenancefails without it, so this is required for the workflow change to work.BUNDLING.md— documentgh attestation verifyand the npm provenance badge; reframe the "code signing" TODO as OS code signing (Gatekeeper/Authenticode), which is separate.How to verify after a release
Notes for the maintainer
curl | shpath is unchanged. (Wiringgh attestation verifyintoinstall.shwould break its "no dependencies" design, so I deliberately left the installers alone.)workflow_dispatch+NPM_TOKEN), so please sanity-check on a test release. The two things to confirm: therepositoryURL matches this repo (provenance is strict about it), and the attestation step findsrelease/codegraph-*.scripts/npm-shim.jsverifyChecksum()is fail-open (skips whenSHA256SUMSis absent/unlisted). Once releases reliably ship sums, making it fail-closed for versions that publish them would close the downgrade gap. Happy to do that as a separate PR if you want it.🤖 Generated with Claude Code