-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign our own npm package #19170
Comments
There is intent to bring this functionality directly into npm, however it should be possible already using References: |
Thanks for the links! Are you sure about using
I'll let you decide what to do with this information. 🙂 |
True, npm package signing is still very early in development. That said, |
I have the solution in a branch, I created an example package with provenance enabled in
|
I submitted a request for the |
@rarkins did you hear back? It looks like GA of the feature is coming soon github/roadmap#657 |
I don't think I've been notified of anything, can't find any sign of it when I log in either |
The feature is now generally available https://github.blog/2023-04-19-introducing-npm-package-provenance/ |
Related PR: @JamieMagee there's a problem with the current setup, the
Footnotes |
I was just opening a PR 😓 |
can we close this now? |
This likely fix is now in but we don't know if it works. We'll have to wait for a release-worthy commit to land in Then we need to check that we can see the new provenance label on the npm registry for our package. Once all that is done, we can close this issue. 😄 |
Renovate version |
What would you like Renovate to be able to do?
We should look into signing our packages. It's probably a good idea to figure out signing our npm package first to learn how it all works. We can expand signing to our other projects/build artifacts later.
If you have any ideas on how this should be implemented, please tell us here.
GitHub has a blog 1 about using Sigstore on GitHub Actions to sign a build. The key benefit seems to be that with Sigstore you don't have to manage a private key, they call this "keyless signing". It sounds like this all makes signing easier to setup and maintain. 😄
The Sigstore project is now released under General Availability, and GitHub says it's stable to start using now.
I've copy/pasted the most relevant part of the blog below for reference:
I'll let you maintainers figure out how this all works, and let you set up signing. 😉
Is this a feature you are interested in implementing yourself?
No
Footnotes
https://github.blog/2022-10-25-why-were-excited-about-the-sigstore-general-availability/ ↩
The text was updated successfully, but these errors were encountered: