Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Merge GitLab provenance generation into latest #6525

Closed
wants to merge 2 commits into from
Closed

Merge GitLab provenance generation into latest #6525

wants to merge 2 commits into from

Conversation

wlynch
Copy link
Contributor

@wlynch wlynch commented Jun 5, 2023

This merges #6375 into latest.

We were waiting on a working example in the npm UI, which we now have with https://www.npmjs.com/package/@ps-testing/gitlab-npm-provenance#provenance

There are some additional Fulcio claim changes being discussed in sigstore/fulcio#1206, but this shouldn't affect anything with npm cli.

/cc @feelepxyz

References

Fixes #6373

wlynch and others added 2 commits May 18, 2023 12:19
@wlynch @wraithgar
feat: Add GitLab CI provenance (npm#6375)
22370aa 
This is a first pass at provenance generation for GitLab CI.

This is based loosely off of existing GitLab provenance documents:
https://about.gitlab.com/blog/2022/11/30/achieve-slsa-level-2-compliance-with-gitlab/
https://gist.github.com/wlynch/c7fd8f53adc77d3c0ec82356e4d43cb5
@wlynch
Merge branch 'latest' into provenance
04c6df8 
Merges gitlab provenance generation into latest branch. See working
example at https://www.npmjs.com/package/@ps-testing/gitlab-npm-provenance#provenance
@wlynch wlynch requested a review from a team as a code owner June 5, 2023 15:16
@wraithgar wraithgar self-assigned this Jun 5, 2023
feelepxyz
feelepxyz reviewed Jun 6, 2023
View reviewed changes
package-lock.json
@@ -15828,6 +15828,7 @@
"license": "ISC",
"dependencies": {
"ci-info": "^3.6.1",
"libnpmpublish": "file:",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What's going on here?

feelepxyz
feelepxyz reviewed Jun 6, 2023
View reviewed changes
workspaces/libnpmpublish/lib/provenance.js
const GITHUB_BUILD_TYPE_VERSION = 'v2'

const GITLAB_BUILD_TYPE_PREFIX = 'https://github.com/npm/cli/gitlab'
const GITLAB_BUILD_TYPE_VERSION = 'v0alpha1'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Any point bumping this to something like v0beta1?

@feelepxyz
Copy link
Contributor

We were waiting on a working example in the npm UI, which we now have with https://www.npmjs.com/package/@ps-testing/gitlab-npm-provenance#provenance

@wlynch thanks for opening this up!

I would like to hold off merging this until we've fixed up some of the links in the UI. Should get this done this week.

@wraithgar
Copy link
Member

I think the PR that we want to land is the actual provenance branch itself. If there are changes still to be made (i.e. GITLAB_BUILD_TYPE_VERSION) please submit a PR to that branch.

@wraithgar
Copy link
Member

#6526

@wraithgar wraithgar closed this Jun 6, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@feelepxyz feelepxyz feelepxyz left review comments

Assignees

@wraithgar wraithgar

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

(libnpmpublish) GitLab CI provenance
3 participants
@wlynch @feelepxyz @wraithgar