slsa-verifier

github/slsa-verifier

Fork 0

mirror of https://github.com/slsa-framework/slsa-verifier.git synced 2026-02-14 17:49:58 +00:00

Commit Graph

Author SHA1 Message Date

Author	SHA1	Message	Date
Ville Skyttä	9108dc2890	docs(npm): "exmaple" spelling fix (#832 ) Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>	2025-02-14 16:46:36 -05:00
Ramon Petgrave	7f3db9211e	feat: support npm cli provenance v1 attestations (#776 ) Fixes #614, #450, #449, #515 Adds support for NPM CLIs build provenances, generated when running `npm publish --provenance --access public` from a [GitHub Actions workflow](`5995008213/.github/workflows/npm-publish.yml (L21)`). ## Testing - added unit tests for some new helper functions - added regression test cases ## Future work - https://github.com/slsa-framework/slsa-verifier/issues/493, so we can do `--print-provenance` - implemented in https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115 --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>	2024-07-30 19:46:04 +00:00
Ramon Petgrave	23160d82c0	feat: workflow to update actions dist (#760 ) Add a new Post-Commit workflow, to make these renovate-bot updates a bit easier. Previously, we had to clone the PR locally, run `make package`, and then push to the PR. Now we would just need to use the github UI to invoke this new workflow against the PR number. We could also copy this over to the slsa-github-generator repo. > A workflow to run against renovate-bot's PRs, > such as `make package` after it updates the package.json and package-lock.json files. > The potentially untrusted code is first run inside a low-privilege Job, and the diff is uploaded as an artifact. > Then a higher-privilege Job applies the diff and pushes the changes to the PR. > It's important to only run this workflow against PRs from trusted sources, after also reviewing the changes! ## Testing. Tested in my own private fork, where when applicable, it pushed a commit of changes to `dist/` folders - https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483 - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits - https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353 - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits --------- Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com> Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>	2024-05-06 17:56:35 -04:00

Ville Skyttä

9108dc2890

docs(npm): "exmaple" spelling fix (#832 )

Signed-off-by: Ville Skyttä <ville.skytta@iki.fi>

2025-02-14 16:46:36 -05:00

Ramon Petgrave

7f3db9211e

feat: support npm cli provenance v1 attestations (#776 )

Fixes #614, #450, #449, #515

Adds support for NPM CLIs build provenances, generated when running `npm
publish --provenance --access public` from a [GitHub Actions
workflow](5995008213/.github/workflows/npm-publish.yml (L21)).

## Testing

- added unit tests for some new helper functions
- added regression test cases

## Future work

- https://github.com/slsa-framework/slsa-verifier/issues/493, so we can
do `--print-provenance`
- implemented in
https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

2024-07-30 19:46:04 +00:00

Ramon Petgrave

23160d82c0

feat: workflow to update actions dist (#760 )

Add a new Post-Commit workflow, to make these renovate-bot updates a bit
easier.
Previously, we had to clone the PR locally, run `make package`, and then
push to the PR.
Now we would just need to use the github UI to invoke this new workflow
against the PR number.
We could also copy this over to the slsa-github-generator repo.

> A workflow to run against renovate-bot's PRs,
> such as `make package` after it updates the package.json and
package-lock.json files.
> The potentially untrusted code is first run inside a low-privilege
Job, and the diff is uploaded as an artifact.
> Then a higher-privilege Job applies the diff and pushes the changes to
the PR.
> It's important to only run this workflow against PRs from trusted
sources, after also reviewing the changes!

## Testing.

Tested in my own private fork, where when applicable, it pushed a commit
of changes to `dist/` folders
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806815483
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/8/commits
-
https://github.com/ramonpetgrave64/slsa-verifier/actions/runs/8806841353
  - https://github.com/ramonpetgrave64/slsa-verifier/pull/16/commits

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

2024-05-06 17:56:35 -04:00

3 Commits