- 
                Notifications
    You must be signed in to change notification settings 
- Fork 3.8k
feat: Add GitLab CI provenance (#6375) #6526
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| Per @feelepxyz: 
 | 
This is a first pass at provenance generation for GitLab CI. This is based loosely off of existing GitLab provenance documents: https://about.gitlab.com/blog/2022/11/30/achieve-slsa-level-2-compliance-with-gitlab/ https://gist.github.com/wlynch/c7fd8f53adc77d3c0ec82356e4d43cb5
| @wlynch This branch has been rebased against latest and had merge conflicts resolved. We have a bit of time before we land the UI links for you to do a final check of this branch again after the rebase. | 
| const GITHUB_BUILD_TYPE_VERSION = 'v2' | ||
|  | ||
| const GITLAB_BUILD_TYPE_PREFIX = 'https://github.com/npm/cli/gitlab' | ||
| const GITLAB_BUILD_TYPE_VERSION = 'v0alpha1' | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a question as to if we wanted this to change to beta?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also seems ok if you want to keep as is @wlynch?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm fine with keeping this for now. I think there may be a few more tweaks coming to the provenance on the Fulcio side (sigstore/fulcio#1206), but it shouldn't change anything w.r.t. npm. We can always rev this later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The provenance UI for gitlab now renders working URLs: https://www.npmjs.com/package/@ps-testing/gitlab-npm-provenance#provenance
I'm 👍  on merging this into latest now 🎉
This is a first pass at provenance generation for GitLab CI.
This is based loosely off of existing GitLab provenance documents:
https://about.gitlab.com/blog/2022/11/30/achieve-slsa-level-2-compliance-with-gitlab/
https://gist.github.com/wlynch/c7fd8f53adc77d3c0ec82356e4d43cb5