feat: oidc provenance by default (#8412)

reggi · web-flow · commit e4ad90c35565 · 2025-07-14T11:01:43.000-04:00
This PR adds "auto" or "default" provenance to publishes that use OIDC
within github and gitlab. It does this by checking the OIDC id token
payload and checking if the current repo's visibility is public or
private if it's public we do the equivalent of adding the `--provenance`
flag.
diff --git a/lib/utils/oidc.js b/lib/utils/oidc.js
@@ -116,14 +116,44 @@ async function oidc ({ packageName, registry, opts, config }) {
       return undefined
     }
 
+    // this checks if the user configured provenance or it's the default unset value
+    const isDefaultProvenance = config.isDefault('provenance')
+    const provenanceIntent = config.get('provenance')
+    const skipProvenance = isDefaultProvenance || provenanceIntent
+
+    if (skipProvenance) {
+      const [headerB64, payloadB64] = idToken.split('.')
+      let isPublicRepo = false
+      if (headerB64 && payloadB64) {
+        const payloadJson = Buffer.from(payloadB64, 'base64').toString('utf8')
+        try {
+          const payload = JSON.parse(payloadJson)
+          if (ciInfo.GITHUB_ACTIONS && payload.repository_visibility === 'public') {
+            isPublicRepo = true
+          }
+          if (ciInfo.GITLAB && payload.project_visibility === 'public') {
+            isPublicRepo = true
+          }
+        } catch (e) {
+          log.silly('oidc', 'Failed to parse idToken payload as JSON')
+        }
+      }
+
+      if (isPublicRepo) {
+        log.silly('oidc', 'Repository is public, setting provenance')
+        opts.provenance = true
+        config.set('provenance', true, 'user')
+      }
+    }
+
     log.silly('oidc', `id_token has a length of ${idToken.length} characters`)
 
     const parsedRegistry = new URL(registry)
     const regKey = `//${parsedRegistry.host}${parsedRegistry.pathname}`
     const authTokenKey = `${regKey}:_authToken`
 
-    const exitingToken = config.get(authTokenKey)
-    if (exitingToken) {
+    const existingToken = config.get(authTokenKey)
+    if (existingToken) {
       log.silly('oidc', 'Existing token found')
     } else {
       log.silly('oidc', 'No existing token found')
diff --git a/mock-registry/lib/index.js b/mock-registry/lib/index.js
@@ -80,7 +80,11 @@ class MockRegistry {
         // XXX: this is opt-in currently because it breaks some existing CLI
         // tests. We should work towards making this the default for all tests.
         t.comment(logReq(req, 'interceptors', 'socket', 'response', '_events'))
-        t.fail(`Unmatched request: ${req.method} ${req.path}`)
+        const protocol = req?.options?.protocol || 'http:'
+        const hostname = req?.options?.hostname || req?.hostname || 'localhost'
+        const p = req?.path || '/'
+        const url = new URL(p, `${protocol}//${hostname}`).toString()
+        t.fail(`Unmatched request: ${req.method} ${url}`)
       }
     }
 
diff --git a/mock-registry/lib/provenance.js b/mock-registry/lib/provenance.js
@@ -0,0 +1,99 @@
+'use strict'
+const t = require('tap')
+const mockGlobals = require('@npmcli/mock-globals')
+const nock = require('nock')
+
+class MockProvenance {
+  static sigstoreIdToken () {
+    return `.${Buffer.from(JSON.stringify({
+        iss: 'https://oauth2.sigstore.dev/auth',
+        email: 'foo@bar.com',
+      })).toString('base64')}.`
+  }
+
+  static successfulNock ({
+    oidcURL,
+    requestToken,
+    workflowPath,
+    repository,
+    serverUrl,
+    ref,
+    sha,
+    runID,
+    runAttempt,
+    runnerEnv,
+  }) {
+    mockGlobals(t, {
+      'process.env': {
+        CI: true,
+        GITHUB_ACTIONS: true,
+        ACTIONS_ID_TOKEN_REQUEST_URL: oidcURL,
+        ACTIONS_ID_TOKEN_REQUEST_TOKEN: requestToken,
+        GITHUB_WORKFLOW_REF: `${repository}/${workflowPath}@${ref}`,
+        GITHUB_REPOSITORY: repository,
+        GITHUB_SERVER_URL: serverUrl,
+        GITHUB_REF: ref,
+        GITHUB_SHA: sha,
+        GITHUB_RUN_ID: runID,
+        GITHUB_RUN_ATTEMPT: runAttempt,
+        RUNNER_ENVIRONMENT: runnerEnv,
+      },
+    })
+
+    const idToken = this.sigstoreIdToken()
+
+    const url = new URL(oidcURL)
+    nock(url.origin)
+      .get(url.pathname)
+      .query({ audience: 'sigstore' })
+      .matchHeader('authorization', `Bearer ${requestToken}`)
+      .matchHeader('accept', 'application/json')
+      .reply(200, { value: idToken })
+
+    const leafCertificate = `-----BEGIN CERTIFICATE-----\nabc\n-----END CERTIFICATE-----\n`
+
+    // Mock the Fulcio signing certificate endpoint
+    nock('https://fulcio.sigstore.dev')
+      .post('/api/v2/signingCert')
+      .reply(200, {
+        signedCertificateEmbeddedSct: {
+          chain: {
+            certificates: [
+              leafCertificate,
+              `-----BEGIN CERTIFICATE-----\nxyz\n-----END CERTIFICATE-----\n`,
+            ],
+          },
+        },
+      })
+
+    nock('https://rekor.sigstore.dev')
+      .post('/api/v1/log/entries')
+      .reply(201, {
+        '69e5a0c1663ee4452674a5c9d5050d866c2ee31e2faaf79913aea7cc27293cf6': {
+          body: Buffer.from(JSON.stringify({
+            kind: 'hashedrekord',
+            apiVersion: '0.0.1',
+            spec: {
+              signature: {
+                content: 'ABC123',
+                publicKey: { content: Buffer.from(leafCertificate).toString('base64') },
+              },
+            },
+          })).toString(
+            'base64'
+          ),
+          integratedTime: 1654015743,
+          logID:
+            'c0d23d6ad406973f9559f3ba2d1ca01f84147d8ffc5b8445c224f98b9591801d',
+          logIndex: 2513258,
+          verification: {
+            signedEntryTimestamp: 'MEUCIQD6CD7ZNLUipFoxzmSL/L8Ewic4SRkXN77UjfJZ7d/wAAIgatokSuX9Rg0iWxAgSfHMtcsagtDCQalU5IvXdQ+yLEA=',
+          },
+        },
+      })
+  }
+}
+
+module.exports = {
+  MockProvenance,
+}
diff --git a/test/fixtures/mock-oidc.js b/test/fixtures/mock-oidc.js
@@ -1,6 +1,35 @@
 const nock = require('nock')
 const ciInfo = require('ci-info')
 
+// this is an effort to not add a dependency to the cli just for testing
+function makeJwt (payload) {
+  const header = { alg: 'none', typ: 'JWT' }
+  const headerB64 = Buffer.from(JSON.stringify(header)).toString('base64')
+  const payloadB64 = Buffer.from(JSON.stringify(payload)).toString('base64')
+  // empty signature section
+  return `${headerB64}.${payloadB64}.`
+}
+
+function gitlabIdToken ({ visibility = 'public' } = { visibility: 'public' }) {
+  const now = Math.floor(Date.now() / 1000)
+  const payload = {
+    project_visibility: visibility,
+    iat: now,
+    exp: now + 3600, // 1 hour expiration
+  }
+  return makeJwt(payload)
+}
+
+function githubIdToken ({ visibility = 'public' } = { visibility: 'public' }) {
+  const now = Math.floor(Date.now() / 1000)
+  const payload = {
+    repository_visibility: visibility,
+    iat: now,
+    exp: now + 3600, // 1 hour expiration
+  }
+  return makeJwt(payload)
+}
+
 class MockOidc {
   constructor (opts) {
     const defaultOpts = {
@@ -17,6 +46,8 @@ class MockOidc {
     this.gitlab = options.gitlab
     this.ACTIONS_ID_TOKEN_REQUEST_URL = options.ACTIONS_ID_TOKEN_REQUEST_URL
     this.ACTIONS_ID_TOKEN_REQUEST_TOKEN = options.ACTIONS_ID_TOKEN_REQUEST_TOKEN
+    this.SIGSTORE_ID_TOKEN = options.SIGSTORE_ID_TOKEN
+
     this.NPM_ID_TOKEN = options.NPM_ID_TOKEN
     this.GITHUB_ID_TOKEN = options.GITHUB_ID_TOKEN
 
@@ -28,6 +59,7 @@ class MockOidc {
       ACTIONS_ID_TOKEN_REQUEST_TOKEN: process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN,
       GITLAB_CI: process.env.GITLAB_CI,
       NPM_ID_TOKEN: process.env.NPM_ID_TOKEN,
+      SIGSTORE_ID_TOKEN: process.env.SIGSTORE_ID_TOKEN,
     }
     this.originalCiInfo = {
       GITLAB: ciInfo.GITLAB,
@@ -53,6 +85,7 @@ class MockOidc {
     delete process.env.ACTIONS_ID_TOKEN_REQUEST_TOKEN
     delete process.env.GITLAB_CI
     delete process.env.NPM_ID_TOKEN
+    delete process.env.SIGSTORE_ID_TOKEN
 
     ciInfo.GITHUB_ACTIONS = false
     ciInfo.GITLAB = false
@@ -65,6 +98,7 @@ class MockOidc {
 
     if (this.gitlab) {
       process.env.NPM_ID_TOKEN = this.NPM_ID_TOKEN
+      process.env.SIGSTORE_ID_TOKEN = this.SIGSTORE_ID_TOKEN
       ciInfo.GITLAB = true
     }
   }
@@ -128,4 +162,6 @@ class MockOidc {
 
 module.exports = {
   MockOidc,
+  gitlabIdToken,
+  githubIdToken,
 }
diff --git a/test/lib/commands/publish.js b/test/lib/commands/publish.js
diff --git a/workspaces/libnpmpublish/lib/publish.js b/workspaces/libnpmpublish/lib/publish.js

Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,11 @@ class MockRegistry {`
`80`	`80`	`// XXX: this is opt-in currently because it breaks some existing CLI`
`81`	`81`	`// tests. We should work towards making this the default for all tests.`
`82`	`82`	`t.comment(logReq(req, 'interceptors', 'socket', 'response', '_events'))`
`83`		- t.fail(`Unmatched request: ${req.method} ${req.path}`)
	`83`	`+ const protocol = req?.options?.protocol \|\| 'http:'`
	`84`	`+ const hostname = req?.options?.hostname \|\| req?.hostname \|\| 'localhost'`
	`85`	`+ const p = req?.path \|\| '/'`
	`86`	+ const url = new URL(p, `${protocol}//${hostname}`).toString()
	`87`	+ t.fail(`Unmatched request: ${req.method} ${url}`)
`84`	`88`	`}`
`85`	`89`	`}`
`86`	`90`