denoland-deno

foster/denoland-deno

Fork 0

mirror of https://github.com/denoland/deno.git synced 2024-11-22 15:06:54 -05:00

Commit graph

Author	SHA1	Message	Date
David Sherret	bee16c54ab	fix(publish): workspace included license file had incorrect path (#24747 ) Also fixes the issue where we say a package was successfully published before it wasn't. Bug in https://github.com/denoland/deno/pull/24714	2024-07-26 15:35:29 +00:00
Divy Srivastava	9b5d2f8c1b	feat(publish): provenance attestation (#22573 ) Supply chain security for JSR. ``` $ deno publish --provenance Successfully published @divy/test_provenance@0.0.3 Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418 ``` 0. Package has been published. 1. Fetches the version manifest and verifies it's matching with uploaded files and exports. 2. Builds the attestation SLSA payload using Github actions env. 3. Creates an ephemeral key pair for signing the github token (aud=sigstore) and DSSE pre authentication tag. 4. Requests a X.509 signing certificate from Fulcio using the challenge and ephemeral public key PEM. 5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry to Rekor and gets back the transparency log index. 6. Builds the provenance bundle and posts it to JSR.	2024-02-28 07:58:02 +05:30

Author

SHA1

Message

Date

David Sherret

bee16c54ab

fix(publish): workspace included license file had incorrect path (#24747 )

Also fixes the issue where we say a package was successfully published
before it wasn't.

Bug in https://github.com/denoland/deno/pull/24714

2024-07-26 15:35:29 +00:00

Divy Srivastava

9b5d2f8c1b

feat(publish): provenance attestation (#22573 )

Supply chain security for JSR.

```
$ deno publish --provenance

Successfully published @divy/test_provenance@0.0.3
Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418
```

0. Package has been published.
1. Fetches the version manifest and verifies it's matching with uploaded
files and exports.
2. Builds the attestation SLSA payload using Github actions env.
3. Creates an ephemeral key pair for signing the github token
(aud=sigstore) and DSSE pre authentication tag.
4. Requests a X.509 signing certificate from Fulcio using the challenge
and ephemeral public key PEM.
5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry
to Rekor and gets back the transparency log index.
6. Builds the provenance bundle and posts it to JSR.

2024-02-28 07:58:02 +05:30

2 commits