{"id":31764398,"url":"https://github.com/danielroe/provenance-action","last_synced_at":"2025-10-09T23:52:07.496Z","repository":{"id":315056227,"uuid":"1057903594","full_name":"danielroe/provenance-action","owner":"danielroe","description":"Fail CI when dependencies in your lockfile lose npm provenance or trusted publisher status","archived":false,"fork":false,"pushed_at":"2025-10-06T09:02:41.000Z","size":389,"stargazers_count":284,"open_issues_count":2,"forks_count":5,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-10-06T11:15:06.358Z","etag":null,"topics":["github-actions","provenance","security","trusted-publishing"],"latest_commit_sha":null,"homepage":"","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/danielroe.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":["danielroe"]}},"created_at":"2025-09-16T11:08:14.000Z","updated_at":"2025-10-06T09:02:44.000Z","dependencies_parsed_at":"2025-09-16T13:52:18.810Z","dependency_job_id":null,"html_url":"https://github.com/danielroe/provenance-action","commit_stats":null,"previous_names":["danielroe/oidc-action"],"tags_count":5,"template":false,"template_full_name":null,"purl":"pkg:github/danielroe/provenance-action","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielroe%2Fprovenance-action","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielroe%2Fprovenance-action/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielroe%2Fprovenance-action/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielroe%2Fprovenance-action/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/danielroe","download_url":"https://codeload.github.com/danielroe/provenance-action/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/danielroe%2Fprovenance-action/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":279002300,"owners_count":26083342,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-09T02:00:07.460Z","response_time":59,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-actions","provenance","security","trusted-publishing"],"created_at":"2025-10-09T23:52:06.626Z","updated_at":"2025-10-09T23:52:07.489Z","avatar_url":"https://github.com/danielroe.png","language":"TypeScript","funding_links":["https://github.com/sponsors/danielroe"],"categories":[],"sub_categories":[],"readme":"# `danielroe/provenance-action`\n\nFail CI when dependencies in your lockfile lose npm provenance or trusted publisher status.\n\n\u003e [!WARNING]\n\u003e This action is under active development and is only one tool to assist in securing your dependencies.\n\n## ✨ Features\n- supports `pnpm-lock.yaml`, `package-lock.json`, `yarn.lock` (v1 and v2+), `bun.lock`\n- handles transitives by comparing resolved versions\n- inline GitHub annotations at the lockfile line\n- JSON output and optional hard‑fail (default: on)\n- pure TypeScript, Node 24+\n\n👉 See it in action: [danielroe/provenance-action-test](https://github.com/danielroe/provenance-action-test)\n\n## 🚀 Quick start\n```yaml\nname: ci\non:\n  pull_request:\n    branches:\n      - main\n    paths:\n      # Trigger a run only on PRs that change the lockfile\n      # (keep whichever is relevant and/or configure its path):\n      - pnpm-lock.yaml\n      - package-lock.json\n      - yarn.lock\n      - bun.lock\n\npermissions:\n  contents: read\njobs:\n  check-provenance:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v4\n        with:\n          fetch-depth: 0\n      - name: Check provenance downgrades\n        uses: danielroe/provenance-action@main\n        id: check\n        with:\n          fail-on-provenance-change: true # optional, default: false\n        #   lockfile: pnpm-lock.yaml      # optional\n        #   base-ref: origin/main         # optional, default: origin/main\n        #   fail-on-downgrade: true       # optional, default: true\n      - name: Print result\n        run: \"echo 'Downgraded: ${{ steps.check.outputs.downgraded }}'\"\n```\n\n## 🔧 Inputs\n- `lockfile` (optional): Path to the lockfile. Auto-detected if omitted.\n- `workspace-path` (optional): Path to workspace root. Default: `.`\n- `base-ref` (optional): Git ref to compare against. Default: `origin/main`.\n- `fail-on-downgrade` (optional): Controls failure behavior. Accepts `true`, `false`, `any`, or `only-provenance-loss`. Default: `true` (which is the same as `any`).\n- `fail-on-provenance-change` (optional): When `true`, fail on provenance repository/branch changes. Default: `false`.\n\n## 📤 Outputs\n- `downgraded`: JSON array of `{ name, from, to, downgradeType }` for detected downgrades. `downgradeType` is `provenance` or `trusted_publisher`.\n- `changed`: JSON array of provenance change events `{ name, from, to, type, previousRepository?, newRepository?, previousBranch?, newBranch? }`.\n\n## 🧠 How it works\n1. Diffs your lockfile against the base ref and collects changed resolved versions (including transitives).\n2. Checks npm provenance via the attestations API for each `name@version`.\n3. Falls back to version metadata for `dist.attestations`.\n4. Emits file+line annotations in the lockfile.\n5. If provenance exists for both the previous and new version, extracts GitHub `owner/repo` and branch from attestations and warns when they differ (repo changed or branch changed).\n\n## 🔒 Why this matters\nTrusted publishing links a package back to its source repo and build workflow, providing strong provenance guarantees. It helps ensure the package you install corresponds to audited source and CI.\n\nHowever, maintainers can still be phished or coerced into publishing without trusted publishing enabled, or switching to a non‑trusted path. In those cases, packages may still carry attestations, but the chain back to the trusted publisher can be weakened.\n\nThis action:\n- Detects when a dependency update loses npm provenance (no attestations) or loses trusted publisher (attestations but no trusted publisher marker), and\n- Fails CI by default (configurable), before that change lands in your main branch.\n\nThis is a stopgap until package managers enforce stronger policies natively. Until then, it offers a lightweight guardrail in CI.\n\n## ⚠️ Notes\n- Runs on Node 24+ and executes the TypeScript entrypoint directly.\n- `bun.lockb` is not supported. (You can generate a `bun.lock` with `bun install --save-text-lockfile`.)\n- Repository and branch change detection is best‑effort; attestation shapes vary and some packages omit repo/ref details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanielroe%2Fprovenance-action","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdanielroe%2Fprovenance-action","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdanielroe%2Fprovenance-action/lists"}