Skip to content

Commit

Permalink
Enable supply chain security through npm provenance attestation
Browse files Browse the repository at this point in the history 
- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs
  • Loading branch information
@pupapaik
pupapaik committed Nov 7, 2024
1 parent dfc7bdc commit b35e8d4
Showing 1 changed file with 3 additions and 1 deletion.
4 changes: 3 additions & 1 deletion .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,8 @@ env:

permissions:
contents: read
id-token: write # Required for provenance
packages: write # Required for publishing

jobs:
build:
Expand Down Expand Up @@ -61,6 +63,6 @@ jobs:
registry-url: "https://registry.npmjs.org"

- name: Publish on npm
run: npm publish
run: npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

0 comments on commit b35e8d4

Please sign in to comment.