Skip to content

feat: oidc provenance by default #8412

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jul 14, 2025
Merged

feat: oidc provenance by default #8412

merged 7 commits into from
Jul 14, 2025
+372 −58

Conversation

reggi
Copy link
Contributor

@reggi reggi commented Jul 2, 2025
edited
Loading

This PR adds "auto" or "default" provenance to publishes that use OIDC within github and gitlab. It does this by checking the OIDC id token payload and checking if the current repo's visibility is public or private if it's public we do the equivalent of adding the --provenance flag.

@reggi reggi requested a review from a team as a code owner July 2, 2025 19:42
@reggi reggi changed the base branch from latest to oidc July 2, 2025 19:42
@reggi reggi force-pushed the oidc-default-provenance branch from 197c641 to 7476f21 Compare July 9, 2025 14:13
@reggi reggi force-pushed the oidc-default-provenance branch from 7476f21 to f55cce1 Compare July 9, 2025 14:16
@reggi reggi changed the title [PROTOTYPE] OIDC Provenance by default feat: oidc provenance by default Jul 9, 2025
reggi
reggi commented Jul 9, 2025
View reviewed changes
workspaces/libnpmpublish/lib/publish.js
@@ -205,7 +205,7 @@ const ensureProvenanceGeneration = async (registry, spec, opts) => {
if (opts.access !== 'public') {
try {
const res = await npmFetch
.json(`${registry}/-/package/${spec.escapedName}/visibility`, opts)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this has been making a double path slash call, // because registry domain ends with / and the path has it too, this was unintuitive to keep when nocking properly.

@reggi reggi merged commit e4ad90c into oidc Jul 14, 2025
45 checks passed
@reggi reggi deleted the oidc-default-provenance branch July 14, 2025 15:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@reggi