feat: support npm cli provenance v1 attestations

slsa-framework / slsa-verifier

Verify provenance from SLSA compliant builders

Apache License 2.0

216 stars 45 forks source link

feat: support npm cli provenance v1 attestations #776

Open ramonpetgrave64 opened 1 month ago

ramonpetgrave64 commented 1 month ago

Fixes #614, #450, #449, #515

Adds support for NPM CLIs build provenances, generated when running npm publish --provenance --access public from a GitHub Actions workflow.

Testing

added unit tests for some new helper functions
added regression test cases

Future work

https://github.com/slsa-framework/slsa-verifier/issues/493, so we can do --print-provenance
- implemented in https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115

ramonpetgrave64 commented 1 month ago

My implementation turns out to be very similar to another earlier draft in #706

ramonpetgrave64 commented 1 month ago

@laurentsimon @ianlewis @haydentherapper

ramonpetgrave64 commented 1 week ago

@slugclub

ramonpetgrave64 commented 1 week ago

I think this looks good. It'd be nice to see an actual npm provenance included in here for documentation (instead of having to go parse the dsse envelope)

I added some docs in a new commit

ramonpetgrave64 commented 1 week ago

@laurentsimon @ianlewis