Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci(release): add sigstore npm integration through --provenance #3622

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

adrianbatuto
Copy link
Contributor

@adrianbatuto adrianbatuto commented Nov 12, 2024

Commit to be reviewed


ci(release): add sigstore npm integration through --provenance

Primary Changes
----------------
1. Added provenance config to the publish workflows.

Fixes #2623

Pull Request Requirements

  • Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.
  • Have git sign off at the end of commit message to avoid being marked red. You can add -s flag when using git commit command. You may refer to this link for more information.
  • Follow the Commit Linting specification. You may refer to this link for more information.

Character Limit

  • Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
  • Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

@adrianbatuto
Copy link
Contributor Author

adrianbatuto commented Nov 12, 2024

The config added in this PR have been tested as I published to npm using the workflows with my personal npm token. Please see the screenshots below of the two published packages with provenance.

@adrianbatuto/cactus-common
image (4)

@adrianbatuto/cactus-core-api
image (5)

Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adrianbatuto Thank you! Could you please confirm that you've published the packages on the screenshots with the .github/workflows/all-nodejs-packages-publish.yaml workflow and not the other one?
If no, then please double check that the mentioned workflow is working as well and then pass it back for review!

@adrianbatuto
Copy link
Contributor Author

adrianbatuto commented Nov 13, 2024

@adrianbatuto Thank you! Could you please confirm that you've published the packages on the screenshots with the .github/workflows/all-nodejs-packages-publish.yaml workflow and not the other one? If no, then please double check that the mentioned workflow is working as well and then pass it back for review!

@petermetz, I was also able to publish with provenance using all-nodejs-packages-publish.yaml. https://github.com/adrianbatuto/cacti/actions/runs/11801663866

Copy link
Contributor

@petermetz petermetz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@adrianbatuto Thank you for confirming, in that case we are good to go from my side!

@jagpreetsinghsasan
Copy link
Contributor

@hyperledger-cacti/cacti-maintainers requesting review on this PR

Primary Changes
----------------
1. Added provenance config to the publish workflows.

Fixes hyperledger-cacti#2623

Signed-off-by: adrianbatuto <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ci(release): add sigstore npm integration through --provenance
4 participants