Skip to content

npm provenance and release-binary attestations #100

Description

@taras

Problem

Consumers cannot cryptographically verify that the published npm packages and
release binaries were built by this repository's workflows.

Proposal

  • npm publish --provenance in publish-one.yml (OIDC trusted publishing
    already provides the identity).
  • GitHub artifact attestations (actions/attest-build-provenance) for the
    xmd release binaries alongside the existing sha256 checksums.

Related: #68 (macOS Developer-ID signing + notarization).

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity hardening

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions