Skip to content
SigStoreJS

fix pack #54

Sign in to view logs

fix pack

fix pack #54

Workflow file for this run

.github/workflows/sigtstorejs.yaml at 455df5f
name: SigStoreJS
on:
workflow_dispatch:
push:
permissions:
contents: read
id-token: write
attestations: write
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup node
uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4
- name: Generate dummy package
run: npm pack
- name: Generate provenance statement with package as attestation subject
run: |
sha256=$(shasum -a 256 aenguerrand-examplepackage12-0.4.0.tgz | awk '{print $1}')
npx @npmcli/provenance-cli generate -o provenance-statement.json --subject-name="pkg:npm/%40aenguerrand/[email protected]" --subject-digest="sha256:$sha256"
- name: Sign provenance statement
run: npx @sigstore/cli attest ./provenance-statement.json -o provenance.sigstore.json
- name: "Verify provenance statement (TODO: Verify source identity)"
run: npx @sigstore/cli verify provenance.sigstore.json
- name: Upload artifact (provenance statement)
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
with:
name: provenance-statement.json
path: provenance-statement.json
- name: Upload artifact (provenance)
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
with:
name: provenance-sigstore.json
path: provenance.sigstore.json
- name: Upload artifact (build)
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3
with:
name: aenguerrand-examplepackage12-0.4.0.tgz
path: aenguerrand-examplepackage12-0.4.0.tgz
- name: Install Cosign
uses: sigstore/[email protected]
- name: debug
run: |
ls -la
cat provenance.sigstore.json
echo "----"
cat provenance-statement.json
- name: Upload to npmjs.com
run: |
npm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"
npm publish aenguerrand-examplepackage12-0.4.0.tgz --access public --provenance-file provenance.sigstore.json --access public