From 4622b425751bc6e3eebb9abfa5fc3fbf94890e34 Mon Sep 17 00:00:00 2001 From: Brian DeHamer Date: Tue, 14 Mar 2023 14:14:48 -0700 Subject: [PATCH] fix: add provenance publish notice (#6247) Signed-off-by: Brian DeHamer --- DEPENDENCIES.md | 2 ++ package-lock.json | 1 + workspaces/libnpmpublish/lib/publish.js | 13 +++++++++++++ workspaces/libnpmpublish/package.json | 1 + 4 files changed, 17 insertions(+) diff --git a/DEPENDENCIES.md b/DEPENDENCIES.md index d63945a4b9edd..9fbe72ea56391 100644 --- a/DEPENDENCIES.md +++ b/DEPENDENCIES.md @@ -64,6 +64,7 @@ graph LR; libnpmpublish-->npmcli-eslint-config["@npmcli/eslint-config"]; libnpmpublish-->npmcli-mock-registry["@npmcli/mock-registry"]; libnpmpublish-->npmcli-template-oss["@npmcli/template-oss"]; + libnpmpublish-->proc-log; libnpmpublish-->semver; libnpmpublish-->ssri; libnpmsearch-->npm-registry-fetch; @@ -408,6 +409,7 @@ graph LR; libnpmpublish-->npmcli-eslint-config["@npmcli/eslint-config"]; libnpmpublish-->npmcli-mock-registry["@npmcli/mock-registry"]; libnpmpublish-->npmcli-template-oss["@npmcli/template-oss"]; + libnpmpublish-->proc-log; libnpmpublish-->semver; libnpmpublish-->sigstore; libnpmpublish-->ssri; diff --git a/package-lock.json b/package-lock.json index dfd582f19a957..6dbb00892b7e5 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15210,6 +15210,7 @@ "normalize-package-data": "^5.0.0", "npm-package-arg": "^10.1.0", "npm-registry-fetch": "^14.0.3", + "proc-log": "^3.0.0", "semver": "^7.3.7", "sigstore": "^1.0.0", "ssri": "^10.0.1" diff --git a/workspaces/libnpmpublish/lib/publish.js b/workspaces/libnpmpublish/lib/publish.js index 3f70a30bd8b50..25dedb23633d7 100644 --- a/workspaces/libnpmpublish/lib/publish.js +++ b/workspaces/libnpmpublish/lib/publish.js @@ -1,6 +1,7 @@ const { fixer } = require('normalize-package-data') const npmFetch = require('npm-registry-fetch') const npa = require('npm-package-arg') +const log = require('proc-log') const semver = require('semver') const { URL } = require('url') const ssri = require('ssri') @@ -8,6 +9,8 @@ const ciInfo = require('ci-info') const { generateProvenance } = require('./provenance') +const TLOG_BASE_URL = 'https://rekor.sigstore.dev/api/v1/log/entries' + const publish = async (manifest, tarballData, opts) => { if (manifest.private) { throw Object.assign( @@ -169,6 +172,16 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => { } const provenanceBundle = await generateProvenance([subject], opts) + /* eslint-disable-next-line max-len */ + log.notice('publish', 'Signed provenance statement with source and build information from GitHub Actions') + + const tlogEntry = provenanceBundle?.verificationMaterial?.tlogEntries[0] + /* istanbul ignore else */ + if (tlogEntry) { + const logUrl = `${TLOG_BASE_URL}?logIndex=${tlogEntry.logIndex}` + log.notice('publish', `Provenance statement published to transparency log: ${logUrl}`) + } + const serializedBundle = JSON.stringify(provenanceBundle) root._attachments[provenanceBundleName] = { content_type: provenanceBundle.mediaType, diff --git a/workspaces/libnpmpublish/package.json b/workspaces/libnpmpublish/package.json index 8cf695eab7bdd..84c3eefeaf2ca 100644 --- a/workspaces/libnpmpublish/package.json +++ b/workspaces/libnpmpublish/package.json @@ -42,6 +42,7 @@ "normalize-package-data": "^5.0.0", "npm-package-arg": "^10.1.0", "npm-registry-fetch": "^14.0.3", + "proc-log": "^3.0.0", "semver": "^7.3.7", "sigstore": "^1.0.0", "ssri": "^10.0.1"