Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(package): provenance support #5275

Closed
wants to merge 1 commit into from
Closed

feat(package): provenance support #5275

wants to merge 1 commit into from

Conversation

sambacha
Copy link
Contributor

Support Provenance Statement

A provenance statement is displayed in a packages' registry page, as shown here:

Screenshot 2024-05-25 at 3 58 29 PM

For more information regarding provenance statements and the requirements as defined by npmjs, see https://docs.npmjs.com/generating-provenance-statements#prerequisites

The id-token permission is required to publish to SigStore via OpenID Connect. You can read more about GitHub's attestation program here: https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

GitHub Action CI Support

You can use PNPM, just be sure to use the latest npm client for the actual publishing part of the release process. Yarn is not supported.

jobs:
  build:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
    steps:
      - uses: actions/checkout@v3
# 
#
+      - run: npm publish --access public
+        env:
+          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+          NPM_CONFIG_PROVENANCE: true

Scoped Publishing

Seeing as Hardhat is not scoped under the @NomicFoundation org, packages that are scoped should adjust their configuration in the manifest:

"publishConfig": {
  "@nomicfoundation:registry": "https://registry.npmjs.org",
  "provenance": true
  }

npm audit signatures

Example response showing the count of verified registry signatures and verified attestations for all of the packages in a project:

audited 1267 packages in 6s

1267 packages have verified registry signatures

74 packages have verified attestations
```

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented May 25, 2024

⚠️ No Changeset found

Latest commit: 4c14284

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@vercel Vercel
Copy link

vercel bot commented May 25, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
hardhat ✅ Ready (Inspect) Visit Preview 💬 Add feedback May 25, 2024 11:10pm

@alcuadrado
Copy link
Member

We'll do our next release with our usual process, and I'll get this merged before the next one.

@alcuadrado alcuadrado self-requested a review May 30, 2024 17:27
@alcuadrado alcuadrado self-assigned this Jun 6, 2024
@kanej
Copy link
Member

kanej commented Jun 27, 2024

Hey @sambacha thanks for the PR. We are going to hold on provenance for the moment. It means fully automating our deployments, which is a larger task.
We are going to move to fully automated deployments for the v-next branch as a first step and roll that out along with provenance as part of v3.

@kanej kanej closed this Jun 27, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Sep 27, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@alcuadrado alcuadrado Awaiting requested review from alcuadrado

Assignees

@kanej kanej

@alcuadrado alcuadrado

Labels
status:triaging
Projects
Hardhat
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sambacha @alcuadrado @kanej