Skip to content

ci(release): add --provenance to npm publish; pin actions to commit SHAs#100

Merged
dipto0321 merged 1 commit into
mainfrom
ci/release/harden-supply-chain
Jul 3, 2026
Merged

ci(release): add --provenance to npm publish; pin actions to commit SHAs#100
dipto0321 merged 1 commit into
mainfrom
ci/release/harden-supply-chain

Conversation

@dipto0321

Copy link
Copy Markdown
Owner

Summary

Two CI/CD supply-chain hardening fixes from issue #67:

  1. .github/workflows/release.yml now passes --provenance to
    npm publish.
    Pre-fix:

    run: npm publish --access public

    Post-fix:

    run: npm publish --provenance --access public

    The release-checklist docs already call for
    npm publish --provenance --access public (Option A) — the
    workflow just wasn't matching. The OIDC setup is otherwise
    correct (no hardcoded token, permissions: id-token: write
    scoped to the publish job); only the flag was missing.
    The flag attaches a SLSA-style attestation to the published
    nodeup-cli package, generated from the OIDC token, so npm
    can display the "Built and signed on GitHub Actions" badge.

  2. All 14 third-party uses: lines in .github/workflows/
    are now pinned to commit SHAs
    instead of mutable
    major-version tags. Pre-fix:

    uses: actions/checkout@v4

    Post-fix:

    uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

    The # v<N> comment preserves the human-readable major
    version for grep-ability. SHAs were resolved at pin time
    from each repo's git/refs/tags/<v> (most are
    lightweight tags whose object.sha IS the commit; the
    one annotated tag — wagoid/commitlint-github-action@v5
    was resolved one extra hop to the commit object). The
    affected actions are: actions/checkout, actions/setup-go,
    actions/setup-node, golangci/golangci-lint-action,
    wagoid/commitlint-github-action, codecov/codecov-action,
    goreleaser/goreleaser-action. The change covers all 14
    uses: occurrences in both workflow files.

    Risk class closed: a compromised or force-pushed tag on any
    of those actions would silently pull unreviewed code into
    release.yml, which runs with contents: write and
    handles publish secrets. The existing
    permissions: blocks (job-scoped, least-privileged) and
    absence of pull_request_target (verified clean) are
    unchanged and remain the primary defense.

Linked issues

Closes #67

Type of change

  • ci — CI/CD only
  • feat — new feature (MINOR bump)
  • fix — bug fix (PATCH bump)
  • refactor — no behavior change
  • perf — performance improvement
  • test — tests only
  • docs — documentation only
  • chore — maintenance / dependency bump
  • build — build system only
  • Breaking change (MAJOR bump) — explain below

Checklist

  • Title follows Conventional Commits (ci(scope): subject)
  • I ran make ci locally and it passes (the change is
    CI-config-only; the Go pipeline still runs and stays
    green)
  • I added or updated tests for the change (no test added —
    the "test" for a workflow-config change is whether
    CI's lint + test + build matrix still passes, which
    this PR's CI run verifies)
  • I updated relevant docs (no user-facing docs change;
    CHANGELOG.md gets a ### Fixed entry under
    [Unreleased])
  • No new linter warnings (make lint green)
  • If breaking: I documented the migration path in the PR
    body and updated CHANGELOG.md

Files touched

  • .github/workflows/release.yml — adds --provenance to
    the npm publish step; pins actions/checkout,
    actions/setup-go, actions/setup-node,
    goreleaser/goreleaser-action to commit SHAs.
  • .github/workflows/ci.yml — pins
    actions/checkout, actions/setup-go,
    golangci/golangci-lint-action,
    wagoid/commitlint-github-action, and
    codecov/codecov-action to commit SHAs.
  • CHANGELOG.md### Fixed entry under [Unreleased]
    documenting the provenance flag and SHA pinning with ci(release): missing --provenance on npm publish; third-party Actions pinned to mutable tags not SHAs #67
    reference.

Two supply-chain hardening fixes from issue #67:

- release.yml npm publish step now passes --provenance so the
  published nodeup-cli package carries a SLSA-style attestation
  generated from the OIDC token (npm "Built and signed on GitHub
  Actions" badge). The release-checklist docs already call for
  this; the workflow just wasn't matching.
- All 14 `uses:` lines in .github/workflows/ are now pinned to
  commit SHAs with a `# v<N>` readability comment, instead of
  mutable major-version tags. Covers actions/checkout,
  actions/setup-go, actions/setup-node, golangci/golangci-lint-action,
  wagoid/commitlint-github-action, codecov/codecov-action,
  goreleaser/goreleaser-action. SHAs were resolved at pin time
  from each repo's git/refs/tags/<v>.

Closes #67
@cocogitto-bot

cocogitto-bot Bot commented Jul 3, 2026

Copy link
Copy Markdown

✔️ f568cc3 - Conventional commits check succeeded.

@dipto0321 dipto0321 merged commit 745f4b3 into main Jul 3, 2026
10 checks passed
@dipto0321 dipto0321 deleted the ci/release/harden-supply-chain branch July 3, 2026 06:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(release): missing --provenance on npm publish; third-party Actions pinned to mutable tags not SHAs

1 participant