Enable supply chain security through npm provenance attestation

- Configure GitHub Actions workflow for secure publishing - Enable automatic provenance generation during npm publish - Add integrity verification through Sigstore transparency logs
2025-01-02 06:32:07 +02:00 · 2024-11-07 17:05:45 +01:00 · 2024-11-07 17:05:45 +01:00 · 18c1183e94
commit 18c1183e94
parent ecef37c1fc
1 changed files with 5 additions and 1 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@ -11,6 +11,10 @@ jobs:
    env:
      NETLIFY_BASE: 'videojs-preview.netlify.app'
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write      # Required for provenance
+      packages: write      # Required for publishing
    steps:
      - name: Checkout
        uses: actions/checkout@v3
@ -37,7 +41,7 @@ jobs:

      # publish runs build for us via a prepublishOnly script
      - name: npm release
-        run: npm publish --tag next
+        run: npm publish --provenance --tag next
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}