https://github.com/aenguerrand/npm-publish-slsa-two-steps

Lab repository demonstrates how to create provenance without using the npm CLI and publish a package to npmjs.com with an attached provenance file (not generated by the npm CLI)
https://github.com/aenguerrand/npm-publish-slsa-two-steps

npmjs slsa supply-chain-security

Last synced: about 2 months ago
JSON representation

Lab repository demonstrates how to create provenance without using the npm CLI and publish a package to npmjs.com with an attached provenance file (not generated by the npm CLI)

• Host: GitHub
• URL: https://github.com/aenguerrand/npm-publish-slsa-two-steps
• Owner: AEnguerrand
• Created: 2024-12-02T13:49:20.000Z (10 months ago)
• Default Branch: main
• Last Pushed: 2024-12-15T11:07:05.000Z (10 months ago)
• Last Synced: 2024-12-15T11:28:25.819Z (10 months ago)
• Topics: npmjs, slsa, supply-chain-security
• Language: JavaScript
• Homepage:
• Size: 77.1 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# npm-publish-slsa-two-steps

This lab repository demonstrates how to create provenance without using the npm CLI and publish a package to npmjs.com with an attached provenance file (not generated by the npm CLI). This lab was conducted to ensure compatibility with changesets and the external provenance mechanism, even if the package is not directly pushed to npmjs.com.

Here is a table of all GitHub workflows in this repository:

| Workflow File                        | Workflow Name                    | Description                                                                           | Status |

|--------------------------------------|----------------------------------|---------------------------------------------------------------------------------------|--------|

| github-attest-predicate.yaml         | Github Attest - Custom Predicate | Based on `action/attest`. Attest a package with a custom predicate and publish it to npm with attached provenance. | :x: |

| github-attest.yaml                   | Github Attest                    | Based on `action/attest`. Attest a package and publish it to npm with attached provenance.                      | :x: |

| sigtstorejs.yaml                     | Sigstore JS                      | Workflow for integrating SigstoreJS with your project.                                  |:x: |

| slsa-generator-nodejs-custom.yaml    | SLSA Generator Custom NodeJS     | Based on `SLSA GitHub Generator`. Generate SLSA provenance using custom logic for NodeJS projects.                      | :white_check_mark: |

| slsa-generator-nodejs.yaml           | SLSA Generator NodeJS            | Based on `SLSA GitHub Generator`.Generate SLSA Level 3 provenance using the SLSA GitHub Generator for NodeJS. | :white_check_mark:  |