Open tjenkinson opened 7 months ago
Open to adding it but last I checked this didn't work:
Unfortunately my current automation creates the release commit and tag off of the preceding commit (because thats a tedious process and I want to make sure its done consistently) and npm provenance statements don't work unless the action runner was triggered directly off of the commit hash that is requesting the provenance statement.
I was thinking I could add a two-step action: create the release commit and tags with the changelog, and then trigger a subsequent action run on that specific commit which performs the npm release, then provenance would work. But it has drawbacks:
I'll try to revisit this, but in the meantime here is what this module does implement security wise:
Thats probably more words that you need but thats my current brain dump on the issue.
Ah interesting. Are you sure the provenance check won't work with the manual dispatch trigger and still sign it with a link back to the job that ran and some of the job metadata? That still seems valuable to me as it's connecting the published package back to the GitHub job run.
All sounds good though. I thought this would be a quick win.
Feel free to close this 🙂
We can leave open for a bit to provide motivation to look into it again. I convinced myself Provenance was another DOA npm feature launch back when it first came out, but I should revisit to make sure my assumptions are still correct.
@bcomnes I think we can merge this 👍 Provenance would be good
@voxpelli I don't think it will work as written though. Need to test it out and or change the automation flow to accommodate provenance. I don't think it likes it when providence is signed in an action run thats different than the release commit.
Thinking of revisiting this given the uptick in usage.
my current automation creates the release commit and tag off of the preceding commit (because thats a tedious process and I want to make sure its done consistently)
i maintain semantic-release, which supports npm provenance. whether you'd want to adopt semantic-release completely falls to your preferences, but if that is a route you'd be interested in, i'd be happy to help with any questions you might have
Semantic release is great, been meaning to revisit sometime soon.
See https://docs.npmjs.com/generating-provenance-statements
It signs the release linking it back to the github action run that built it.
Might be worth adding a new option to
bcomnes/npm-bump
but went with this for now.