Skip to content

feat: Add --provenance-bundle flag to npm publish #6300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 4 commits into from
Closed

feat: Add --provenance-bundle flag to npm publish #6300

wants to merge 4 commits into from

Conversation

@ianlewis
Copy link

@ianlewis ianlewis commented Mar 29, 2023

This PR adds a new --provenance-bundle flag alongside the --provenance flag for npm publish. The flag takes a file path to a file in sigstore bundle format (JSON encoded).

This allows CI builders to generate signed provenance external to the npm CLI and upload it to the npm registry along with the created package.

ianlewis and others added 4 commits March 9, 2023 06:29
@ianlewis
feat: sigstore bundle for provenance
bc657b7 
This updates the `--provenance` flag to also take a string path to a
sigstore bundle in JSON format that can be uploaded with a package by
`npm publish`.

Previous functionality of specifying `--provenance` as a boolean is
preserved.

Signed-off-by: Ian Lewis <ianlewis@google.com>
Merge branch 'latest' into oob-provenance
1e326de 
Signed-off-by: Ian Lewis <ianlewis@google.com>
Add separate provenance-bundle option
68048cc 
Signed-off-by: Ian Lewis <ianlewis@google.com>
Verify oob sigstore bundles
53c6995 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis ianlewis mentioned this pull request Mar 29, 2023
Closed
@ianlewis ianlewis marked this pull request as ready for review March 29, 2023 03:17
@ianlewis ianlewis requested a review from a team as a code owner March 29, 2023 03:17
@ianlewis ianlewis requested review from lukekarrys and removed request for a team March 29, 2023 03:17
ljharb
ljharb reviewed Mar 29, 2023
View reviewed changes
workspaces/libnpmpublish/lib/publish.js
Comment on lines +142 to +147
if (provenance === true && provenanceBundle) {
throw Object.assign(
new Error('--provenance and --provenance-bundle cannot be specified at the same time.'),
{ code: 'EUSAGE' }
)
}
Copy link
Contributor

@ljharb ljharb Mar 29, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this seems confusing - if they're mutually exclusive, why not --provenance=path/to/bundle?

Copy link
Author

@ianlewis ianlewis Mar 29, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I did try this. However, I wanted to preserve the existing --provenance boolean, and npm seems finicky about its flags. If I create a flag that can be a boolean or string then npm publish --provenance package-name will no longer work and parse package-name as the argument to --provenance.

@wraithgar
Copy link
Member

wraithgar commented Mar 29, 2023

This is not the direction we are going w/ this flag. We need to fix the bug where we can't configure a flag to be either a boolean or a string, and use that flag for this purpose. The fix is in #6020 (I think? Someone used copilot to "fix" the PR and now it's pretty unreadable).

@wraithgar
Copy link
Member

wraithgar commented Mar 29, 2023

The original provenance PR did have this functionality and that is how we found the config bug, so it was paused till we can fix it.

@wraithgar wraithgar closed this Mar 29, 2023
@ianlewis
Copy link
Author

ianlewis commented Mar 29, 2023

The original provenance PR did have this functionality and that is how we found the config bug, so it was paused till we can fix it.

Just to be clear, Is it fair to say we still want to add the functionality once the config bug is fixed and we just don't want it to be a separate flag?

@wraithgar
Copy link
Member

wraithgar commented Mar 30, 2023

Just to be clear, Is it fair to say we still want to add the functionality once the config bug is fixed and we just don't want it to be a separate flag?

Yes the end goal is for you to be able to go --provenance or --provenance=/tmp/build/foo-1.2.0.output

@ianlewis
Copy link
Author

ianlewis commented Mar 31, 2023

Just to be clear, Is it fair to say we still want to add the functionality once the config bug is fixed and we just don't want it to be a separate flag?

Yes the end goal is for you to be able to go --provenance or --provenance=/tmp/build/foo-1.2.0.output

I created #6313 to explain the flag parsing issue. This is unfortunately blocking me from adding publishing support to https://github.com/slsa-framework/slsa-github-generator.

I think this will also require changes to nopt since flags are not parsed correctly if they could be a boolean or something else like a string. i.e. npm publish --provenance --help would not work as --help would get parsed an argument to --provenance rather than handled as a flag itself`. I think most flag parsing libraries don't allow this so they don't have to handle cases like this.

@ianlewis ianlewis mentioned this pull request Mar 31, 2023
Closed
@ianlewis ianlewis mentioned this pull request May 19, 2023
Closed
2 tasks
@bdehamer
Copy link
Contributor

bdehamer commented May 22, 2023

@ianlewis just an FYI that this work is continuing here.

@travi travi mentioned this pull request Aug 18, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lukekarrys lukekarrys Awaiting requested review from lukekarrys lukekarrys is a code owner automatically assigned from npm/cli-team

1 more reviewer

@ljharb ljharb ljharb left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ianlewis @wraithgar @bdehamer @ljharb