xxq250
/
probot
forked from mirrors/probot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat(security): Configure provenance (#1997) 

This adds a cryptographic signature to NPM uploads to show that a upload was done by GitHub actions and not somewhere else.
Such a feature should help detect malicious uploads to NPM.
This feature could be extended to other repositories too.
This commit is contained in:
Aaron Dewes 2024-04-03 15:29:31 +02:00 committed by GitHub
parent 8e9dd47e69
commit 3f2032077b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 11 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
.github/workflows/release.yml vendored
View File

@ -6,6 +6,14 @@ on:
- next - next
- beta - beta
- "*.x" - "*.x"
# These are recommended by the semantic-release docs: https://github.com/semantic-release/npm#npm-provenance
permissions:
contents: write # to be able to publish a GitHub release
issues: write # to be able to comment on released issues
pull-requests: write # to be able to comment on released pull requests
id-token: write # to enable use of OIDC for npm provenance
jobs: jobs:
release: release:
name: release name: release

3
package.json
View File

@ -111,5 +111,8 @@
} }
] ]
] ]
},
"publishConfig": {
"provenance": true
} }
} }