This lab repository demonstrates how to create provenance without using the npm CLI and publish a package to npmjs.com with an attached provenance file (not generated by the npm CLI). This lab was conducted to ensure compatibility with changesets and the external provenance mechanism, even if the package is not directly pushed to npmjs.com.
Here is a table of all GitHub workflows in this repository:
| Workflow File | Workflow Name | Description | Status |
|---|---|---|---|
| github-attest-predicate.yaml | Github Attest - Custom Predicate | Based on action/attest. Attest a package with a custom predicate and publish it to npm with attached provenance. |
❌ |
| github-attest.yaml | Github Attest | Based on action/attest. Attest a package and publish it to npm with attached provenance. |
❌ |
| sigtstorejs.yaml | Sigstore JS | Workflow for integrating SigstoreJS with your project. | ❌ |
| slsa-generator-nodejs-custom.yaml | SLSA Generator Custom NodeJS | Based on SLSA GitHub Generator. Generate SLSA provenance using custom logic for NodeJS projects. |
✅ |
| slsa-generator-nodejs.yaml | SLSA Generator NodeJS | Based on SLSA GitHub Generator.Generate SLSA Level 3 provenance using the SLSA GitHub Generator for NodeJS. |
✅ |