Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Support for GitLab provenance #593

Open
laurentsimon opened this issue May 11, 2023 · 2 comments
Open

Support for GitLab provenance #593

laurentsimon opened this issue May 11, 2023 · 2 comments
Labels
area:gitlab area:npm An issue with verification of npm packages specs:v1.0

Comments

@laurentsimon
Copy link
Contributor

GitLab has some support in npm/cli#6375

https://gist.github.com/wlynch/42e89527d51bc72a61279f0c7f3be1cd
@laurentsimon
Copy link
Contributor Author

v0.2 provenance does not have a stable builder ID, so we may defer implementation to v1.0

@laurentsimon laurentsimon mentioned this issue Jun 14, 2023
Open
@ramonpetgrave64
Copy link
Contributor

ramonpetgrave64 commented Jun 24, 2024
edited
Loading

They are still using slsa v0.2, and that older definition of BuilderID.

I think for gitlab the BuilderID should also be the ref to Gitlab's own equivalent of a GithubWorkflow definition yaml file. And we would need to upgrade the npmcli attestation-generating code to start using v1, like @laurentsimon suggests.

@ramonpetgrave64 ramonpetgrave64 added area:npm An issue with verification of npm packages specs:v1.0 labels Jun 24, 2024
@ramonpetgrave64 ramonpetgrave64 mentioned this issue Jun 24, 2024
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
area:gitlab area:npm An issue with verification of npm packages specs:v1.0
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ramonpetgrave64 @laurentsimon