Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Enable supply chain security through npm provenance attestation #8911

Open
wants to merge 4 commits into
base: main
Choose a base branch
from

Conversation

pupapaik
Copy link

@pupapaik pupapaik commented Nov 7, 2024

Description

  • Configure GitHub Actions workflow for secure publishing
  • Enable automatic provenance generation during npm publish
  • Add integrity verification through Sigstore transparency logs

Following the recent Lottie-Player supply chain attack, it's crucial to enhance package security. NPM provenance provides cryptographic proof that this package was built from this repository using GitHub Actions, making supply chain attacks significantly harder. More info in my blog post https://medium.com/exaforce/npm-provenance-the-missing-security-layer-in-popular-javascript-libraries-b50107927008

Specific Changes proposed

Changes the workflow github to publish provenance attestation on https://www.npmjs.com/package/video.js

Requirements Checklist

  • Feature implemented in CI/CD
  • If necessary, more likely in a feature request than a bug fix
    • Change has been verified in an actual browser (Chrome, Firefox, IE)
    • Unit Tests updated or fixed
    • Docs/guides updated
    • Example created (starter template on JSBin)
    • [ x Has no DOM changes which impact accessiblilty or trigger warnings (e.g. Chrome issues tab)
    • Has no changes to JSDoc which cause npm run docs:api to error
  • Reviewed by Two Core Contributors

- Configure GitHub Actions workflow for secure publishing
- Enable automatic provenance generation during npm publish
- Add integrity verification through Sigstore transparency logs
Copy link

welcome bot commented Nov 7, 2024

💖 Thanks for opening this pull request! 💖

Things that will help get your PR across the finish line:

  • Run npm run lint -- --errors locally to catch formatting errors earlier.
  • Include tests when adding/changing behavior.
  • Include screenshots and animated GIFs whenever possible.

We get a lot of pull requests on this repo, so please be patient and we will get back to you as soon as we can.

@mister-ben mister-ben changed the title Enable supply chain security through npm provenance attestation chore: Enable supply chain security through npm provenance attestation Nov 13, 2024
Copy link

codecov bot commented Nov 14, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 83.26%. Comparing base (ecef37c) to head (18c1183).
Report is 2 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8911      +/-   ##
==========================================
+ Coverage   83.25%   83.26%   +0.01%     
==========================================
  Files         120      120              
  Lines        8097     8097              
  Branches     1944     1944              
==========================================
+ Hits         6741     6742       +1     
+ Misses       1356     1355       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@pupapaik
Copy link
Author

any update? Do you guys want to merge it?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants