feat: Add GitLab CI provenance (#6375) #6526
Conversation
|
Per @feelepxyz:
|
This is a first pass at provenance generation for GitLab CI. This is based loosely off of existing GitLab provenance documents: https://about.gitlab.com/blog/2022/11/30/achieve-slsa-level-2-compliance-with-gitlab/ https://gist.github.com/wlynch/c7fd8f53adc77d3c0ec82356e4d43cb5
|
@wlynch This branch has been rebased against latest and had merge conflicts resolved. We have a bit of time before we land the UI links for you to do a final check of this branch again after the rebase. |
| const GITHUB_BUILD_TYPE_VERSION = 'v2' | ||
|
|
||
| const GITLAB_BUILD_TYPE_PREFIX = 'https://github.com/npm/cli/gitlab' | ||
| const GITLAB_BUILD_TYPE_VERSION = 'v0alpha1' |
There was a problem hiding this comment.
There was a question as to if we wanted this to change to beta?
There was a problem hiding this comment.
Also seems ok if you want to keep as is @wlynch?
There was a problem hiding this comment.
I'm fine with keeping this for now. I think there may be a few more tweaks coming to the provenance on the Fulcio side (sigstore/fulcio#1206), but it shouldn't change anything w.r.t. npm. We can always rev this later.
There was a problem hiding this comment.
The provenance UI for gitlab now renders working URLs: https://www.npmjs.com/package/@ps-testing/gitlab-npm-provenance#provenance
I'm 👍 on merging this into latest now 🎉
This is a first pass at provenance generation for GitLab CI.
This is based loosely off of existing GitLab provenance documents:
https://about.gitlab.com/blog/2022/11/30/achieve-slsa-level-2-compliance-with-gitlab/
https://gist.github.com/wlynch/c7fd8f53adc77d3c0ec82356e4d43cb5