Automatically publish to npm with provenance #7317
joycebrum
started this conversation in
Ideas / Feature request
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi! I'd like to suggest for rxjs to publish on npm by using github workflows and provenance.
Automatic Build on a Hosted Build Platform is a security practice on release process that is recommended by SLSA (Supply-chain Levels for Software Artifacts).
The SLSA Framework works to prevent the following risks that many artifacts are exposed to in the release process.
To make it easier for js developers, the npm has released a feature to show the provenance attestion of a given artifact in the project page.
And it is really easy to configure and run. I've tested in this dummy-project and this is how basically the github workflow would look like: https://github.com/joycebrum/dummy-project/blob/main/.github/workflows/release.yml.
The prerequisite are quite simple, to work the npm version will need to be 9.5.0+ (a upgrade will be enough to ensure that) and the build should run through GitHub Actions (there are still no support for other Hosted Build Platforms).
Let me know if you are interested in adapting the project's release project to run on GitHub and I'll be happy to better understand how currently the project is publishing to npm (perhaps through firebase?).
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions