Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Generate provenance statements on npm publish #18352

Merged
merged 1 commit into from
Jul 1, 2024
Merged

Generate provenance statements on npm publish #18352

merged 1 commit into from
Jul 1, 2024

Conversation

wojtekmaj
Copy link
Contributor

@wojtekmaj wojtekmaj commented Jul 1, 2024
edited
Loading

This PR adds Provenance statements on npm publish, increasing supply-chain security.

@Snuffleupagus
Copy link
Collaborator

As a general rule: Please note that the context provided in #18352 (comment) should also be included in the commit message itself such that it's possible to understand what the patch does and importantly why on the Git command line without having to reference the GitHub PR.

@wojtekmaj
Copy link
Contributor Author

Ah, sorry about that. It's been a while since I contributed to a repo that doesn't squash, which usually makes commits irrelevant. Fixed both of my PRs :)

timvandermeij
timvandermeij approved these changes Jul 1, 2024
View reviewed changes
Copy link
Contributor

@timvandermeij timvandermeij left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me, with the comment addressed in the squashed commit. In the meantime I'll read up on provenance a bit more before merging to make sure all prerequisites are met (because I'd like to make a new release later today).

.github/workflows/publish_release.yml Outdated Show resolved Hide resolved
@wojtekmaj
Generate provenance statements on npm publish
aaa65bf 
This PR adds [Provenance statements](https://docs.npmjs.com/generating-provenance-statements) on `npm publish`, increasing supply-chain security.
@timvandermeij timvandermeij merged commit 7114796 into mozilla:master Jul 1, 2024
7 checks passed
@timvandermeij
Copy link
Contributor

Thanks!

@wojtekmaj wojtekmaj deleted the provenance branch July 1, 2024 16:48
@wojtekmaj
Copy link
Contributor Author

wojtekmaj commented Jul 1, 2024
edited
Loading

Uh. So I guess repository.url in package.json must match the URL of the repository GitHub Actions are ran from. In other words, it cannot point to https://github.com/mozilla/pdfjs-dist, but to https://github.com/mozilla/pdf.js for provenance to work.

I don't think the format is relevant, but the repository it points to is.

@timvandermeij
Copy link
Contributor

@wojtekmaj Sadly this failed in GitHub Actions for the new release; please see https://github.com/mozilla/pdf.js/actions/runs/9748332722/job/26903097065#step:6:359. The issue appears to be that in dddb74d we normalized the repository URL according to NPM recommendation, and I noticed you have the same in react-pdf at https://github.com/wojtekmaj/react-pdf/blob/main/packages/react-pdf/package.json#L105, so I'm wondering if you also ran into this issue and how you fixed it?

@wojtekmaj

This comment was marked as outdated.

Sign in to view
@timvandermeij
Copy link
Contributor

Ha, thanks. I guess the best way forward is to unpublish this release, fix the URL and try again? Fortunately the error caused nothing to be published to NPM yet AFAICT, so I think unpublishing should be safe.

@timvandermeij
Copy link
Contributor

Alternatively we could disable provenance for now until the fate of #18357 is decided because I believe that was why the repository URL was the way it is now, but that'd not be my preferred option.

@wojtekmaj
Copy link
Contributor Author

Both options should work!

timvandermeij added a commit to timvandermeij/pdf.js that referenced this pull request Jul 1, 2024
@timvandermeij
Fix the repository URL in the package.json file for pdfjs-dist
bf5dd7e 
For provenance, enabled in PR mozilla#18352, to work the repository URL in
`package.json` is required to match the repository URL of the GitHub
Actions invocation. This should fix the following error we encountered
publishing a new release today:

```
npm error 422 Unprocessable Entity - PUT https://registry.npmjs.org/pdfjs-dist - Error verifying sigstore provenance bundle: Failed to validate repository information: package.json: "repository.url" is "git+https://github.com/mozilla/pdfjs-dist.git", expected to match "https://github.com/mozilla/pdf.js" from provenance
```
@timvandermeij timvandermeij mentioned this pull request Jul 1, 2024
Merged
@timvandermeij
Copy link
Contributor

Thanks; the issue should be fixed by #18358.

@timvandermeij
Copy link
Contributor

It worked, and the provenance badge is now shown on https://www.npmjs.com/package/pdfjs-dist/v/4.4.168. Nice!

@ZeroXClem ZeroXClem mentioned this pull request Aug 12, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timvandermeij timvandermeij timvandermeij approved these changes

Assignees
No one assigned
Labels
test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wojtekmaj @Snuffleupagus @timvandermeij