Skip to content

Enable npm publish provenance for releases #7

Description

@cevheri

Summary

Enable npm provenance for published
releases of @libredb/libredb, so every published version carries a signed, verifiable attestation
linking the tarball to the exact source commit and the GitHub Actions workflow that built it.

Why

Provenance is a supply-chain integrity signal. With it enabled:

  • npm shows a provenance badge on the package page.
  • Consumers can run npm audit signatures to cryptographically verify that the published tarball was
    built from this repository, at a specific commit, by our publish.yml workflow — not tampered with
    or published from an unknown machine.

This is consistent with the project's reliability and honesty stance and complements the existing
supply-chain hardening (SHA-pinned actions, least-privilege workflow tokens, the full bun run gate
before publish).

Provenance was intentionally deferred while the repository was private, because it requires a public
repository. That precondition is now met (the repo is public and the package is published from GitHub
Actions), and publish.yml already carries a placeholder note for this work.

Current state

.github/workflows/publish.yml publishes without provenance:

permissions:
  contents: read
# ...
- run: npm publish --access public
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }}

0.0.4 (the first release published from the public repo) went out without provenance.

Proposed change

  1. Grant the publish job an OIDC token:
permissions:
  contents: read
  id-token: write
  1. Add the --provenance flag to the publish step:
- run: npm publish --access public --provenance
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }}

(Alternatively, set "provenance": true under publishConfig in package.json; the CLI flag is
preferred here so the behavior is explicit in the workflow.)

Also update the placeholder comment in publish.yml to state that provenance is now enabled.

Preconditions

  • Public repository
  • Published from GitHub Actions (publish.yml)
  • repository field set in package.json (provenance links to it)
  • npm CLI >= 9.5 (Node 22 via setup-node ships npm 10+)

Acceptance criteria

  • publish.yml adds id-token: write and --provenance.
  • The next release (e.g. 0.0.5) publishes successfully with provenance.
  • The npm package page shows the provenance badge.
  • npm audit signatures reports a valid provenance attestation for the new version.
  • The placeholder comment in publish.yml is updated.

Notes

  • Provenance applies from the version it is first enabled on; already-published versions (0.0.3,
    0.0.4) will not retroactively gain it.
  • No new secret is required. Provenance uses the workflow's OIDC identity; NPMJS_TOKEN still
    authenticates the publish itself.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions