SLSA v1.0 verification support for npm packages built by the npm cli #450
Assignees
Labels
Comments
ianlewis
added
area:npm
|
Should we be able to do this? They are not SLSA 3, so it complicates the logic we have for detecting a trusted builder. |
|
@asraa I think you're right. I think it was (perhaps mistakenly) listed in one of our meeting docs and that's why I created the issue. Though I think we may need to do some detection of SLSA levels in the future (supporting builders capable of SLSA 3 but not necessarily always SLSA 3). In npm CLI's case, it's never SLSA 3 so I'll just go ahead and close. |
|
re-opening based on today's discussion. We will support the trusted builder. |
ianlewis
modified the milestones:
Verification of npm packages built by default GitHub builder,
Verification of npm packages GA
This was referenced Jul 3, 2024
ramonpetgrave64
added a commit
that referenced
this issue
Jul 30, 2024
Fixes #614, #450, #449, #515 Adds support for NPM CLIs build provenances, generated when running `npm publish --provenance --access public` from a [GitHub Actions workflow](https://github.com/ramonpetgrave64/gundam-visor/blob/599500821344b070902a7a5666064bfdaba715df/.github/workflows/npm-publish.yml#L21). ## Testing - added unit tests for some new helper functions - added regression test cases ## Future work - #493, so we can do `--print-provenance` - implemented in #768 (comment) --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Verification support for the npm CLI as defined by RFC-0049
The text was updated successfully, but these errors were encountered: