search

tighten / ziggy

Use your Laravel routes in JavaScript.
MIT License
3.86k stars 247 forks source link

release: Enable provenance for npm package #684

Closed saibotk closed 10 months ago

saibotk commented 10 months ago

Hey, thanks for the amazing package and recent update!

In this PR, we add provenance statements to package releases using npm. Find out about provenance here: https://docs.npmjs.com/generating-provenance-statements#about-npm-provenance

We now benefit from attestation, so that the published package can be verified and checked if it was actually built on a GitHub Runner, came from this repository and not on somebody's local machine. This is a great improvement for the trust relationship with users downloading the package and to increase supply-chain security for ziggy with little effort.

To do so, we also specify the permissions and allow the action to mint an unique ID token for the attestation, as described in the docs 0.

Additionally, we also constrain the general permissions to the least possible.

Also fixed two yamllint indentation issues.

Thank you!

bakerkretzmar commented 10 months ago

Cool, didn't know about this at all. Thanks!