Skip to content

feat: npm package configuration and binary installation script#2244

Draft
chinmaypant21 wants to merge 1 commit into
owasp-noir:mainfrom
chinmaypant21:distribute-npm-binary
Draft

feat: npm package configuration and binary installation script#2244
chinmaypant21 wants to merge 1 commit into
owasp-noir:mainfrom
chinmaypant21:distribute-npm-binary

Conversation

@chinmaypant21

Copy link
Copy Markdown
Contributor

Related to the discussion in #1861.

It's only for reference, just a draft.

publish-npm.yml - ensures that the npm package stays in sync with our GitHub releases.

package.json & install.js - We publish a tiny "wrapper" package to npm so Node.js/JavaScript developers can install Noir using npm install -g @owasp-noir/noir or npx @owasp-noir/noir -b .

Security:

The --provenance flag in yml is a supply-chain security feature. It uses GitHub Actions secure identity token to cryptographically sign the published package. This is related to Trusted Publishing, and aligns with github's npm supply-chain security recommendations

@hahwul @ksg97031
I'm looking forward to hear your thoughts and any suggestions for improving this approach.

@github-actions github-actions Bot added 🦺 github-action Issue for GitHub actions 🛥️ workflow Issue for Workflows labels Jul 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

🦺 github-action Issue for GitHub actions 🛥️ workflow Issue for Workflows

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant