+46
-1
lines changedFilter options
+46
-1
lines changed Original file line number Diff line number Diff line change
@@ -241,6 +241,11 @@ jobs:
241 241
runs-on: ${{matrix.platform[0]}}-${{matrix.platform[1]}}
242 242
needs: build
243 243 244 +
# Permission required to produce a valid provenance statement during the tests
245 +
# Only run inside the main repository; this may fail in master since it doesn't run in PRs from forks
246 +
permissions:
247 +
id-token: write
248 + 244 249
steps:
245 250
- uses: actions/checkout@v4
246 251
@@ -25,6 +25,7 @@
25 25
"pkg-tests-fixtures": "workspace:^",
26 26
"semver": "^7.1.2",
27 27
"serve-static": "^1.14.1",
28 +
"sigstore": "^3.1.0",
28 29
"super-resolve": "^1.0.0",
29 30
"tar-fs": "^1.16.0",
30 31
"tslib": "^2.4.0"
@@ -13,6 +13,7 @@ import os from 'os';
13 13
import pem from 'pem';
14 14
import semver from 'semver';
15 15
import serveStatic from 'serve-static';
16 +
import * as sigstore from 'sigstore';
16 17
import stream from 'stream';
17 18
import * as t from 'typanion';
18 19
import {promisify} from 'util';
@@ -569,6 +570,15 @@ export const startPackageServer = ({type}: {type: keyof typeof packageServerUrls
569 570
if (typeof body.versions[version].gitHead !== `undefined` && name === `githead-forbidden`)
570 571
return processError(response, 400, `Unexpected gitHead`);
571 572 573 +
if (name === `provenance-required`) {
574 +
try {
575 +
const bundle = JSON.parse(body._attachments[`${name}-${version}.sigstore`].data);
576 +
sigstore.verify(bundle);
577 +
} catch (error) {
578 +
return processError(response, 400, (error as Error).message);
579 +
}
580 +
}
581 + 572 582
response.writeHead(200, {[`Content-Type`]: `application/json`});
573 583
return response.end(rawData);
574 584
});
@@ -1,6 +1,8 @@
1 1
import {npath, xfs} from '@yarnpkg/fslib';
2 2 3 -
export {};
3 +
const {
4 +
tests: {testIf},
5 +
} = require(`pkg-tests-core`);
4 6 5 7
const {
6 8
exec: {execFile},
@@ -86,4 +88,29 @@ describe(`publish`, () => {
86 88
},
87 89
});
88 90
}));
91 + 92 +
testIf(
93 +
() => !!process.env.ACTIONS_ID_TOKEN_REQUEST_URL,
94 +
`should publish a package with a valid provenance statement`,
95 +
makeTemporaryEnv({
96 +
name: `provenance-required`,
97 +
version: `1.0.0`,
98 +
}, async ({run}) => {
99 +
await run(`install`);
100 + 101 +
const githubEnv = Object.fromEntries(
102 +
Object.entries(process.env).filter(([key]) => (
103 +
key.startsWith(`ACTIONS_`) || key.startsWith(`GITHUB_`) || key.startsWith(`RUNNER_`)),
104 +
),
105 +
);
106 + 107 +
await run(`npm`, `publish`, {
108 +
env: {
109 +
...githubEnv,
110 +
YARN_NPM_AUTH_TOKEN: validLogins.fooUser.npmAuthToken,
111 +
YARN_NPM_PUBLISH_PROVENANCE: `true`,
112 +
},
113 +
});
114 +
}),
115 +
);
89 116
});
Original file line number Diff line number Diff line change
@@ -16872,6 +16872,7 @@ pem@dexus/pem:
16872 16872
pkg-tests-fixtures: "workspace:^"
16873 16873
semver: "npm:^7.1.2"
16874 16874
serve-static: "npm:^1.14.1"
16875 +
sigstore: "npm:^3.1.0"
16875 16876
super-resolve: "npm:^1.0.0"
16876 16877
tar-fs: "npm:^1.16.0"
16877 16878
tslib: "npm:^2.4.0"
You can’t perform that action at this time.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4