nodejs/deps/npm/node_modules/libnpmpublish/lib/provenance.js

const { sigstore } = require('sigstore')

const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'
const INTOTO_STATEMENT_TYPE = 'https://in-toto.io/Statement/v0.1'
const SLSA_PREDICATE_TYPE = 'https://slsa.dev/provenance/v0.2'

const BUILDER_ID = 'https://github.com/actions/runner'
const BUILD_TYPE_PREFIX = 'https://github.com/npm/cli/gha'
const BUILD_TYPE_VERSION = 'v2'

const generateProvenance = async (subject, opts) => {
  const { env } = process
  /* istanbul ignore next - not covering missing env var case */
  const [workflowPath] = (env.GITHUB_WORKFLOW_REF || '')
    .replace(env.GITHUB_REPOSITORY + '/', '')
    .split('@')
  const payload = {
    _type: INTOTO_STATEMENT_TYPE,
    subject,
    predicateType: SLSA_PREDICATE_TYPE,
    predicate: {
      buildType: `${BUILD_TYPE_PREFIX}/${BUILD_TYPE_VERSION}`,
      builder: { id: BUILDER_ID },
      invocation: {
        configSource: {
          uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
          digest: {
            sha1: env.GITHUB_SHA,
          },
          entryPoint: workflowPath,
        },
        parameters: {},
        environment: {
          GITHUB_EVENT_NAME: env.GITHUB_EVENT_NAME,
          GITHUB_REF: env.GITHUB_REF,
          GITHUB_REPOSITORY: env.GITHUB_REPOSITORY,
          GITHUB_REPOSITORY_ID: env.GITHUB_REPOSITORY_ID,
          GITHUB_REPOSITORY_OWNER_ID: env.GITHUB_REPOSITORY_OWNER_ID,
          GITHUB_RUN_ATTEMPT: env.GITHUB_RUN_ATTEMPT,
          GITHUB_RUN_ID: env.GITHUB_RUN_ID,
          GITHUB_SHA: env.GITHUB_SHA,
          GITHUB_WORKFLOW_REF: env.GITHUB_WORKFLOW_REF,
          GITHUB_WORKFLOW_SHA: env.GITHUB_WORKFLOW_SHA,
        },
      },
      metadata: {
        buildInvocationId: `${env.GITHUB_RUN_ID}-${env.GITHUB_RUN_ATTEMPT}`,
        completeness: {
          parameters: false,
          environment: false,
          materials: false,
        },
        reproducible: false,
      },
      materials: [
        {
          uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
          digest: {
            sha1: env.GITHUB_SHA,
          },
        },
      ],
    },
  }

  return sigstore.attest(Buffer.from(JSON.stringify(payload)), INTOTO_PAYLOAD_TYPE, opts)
}

module.exports = {
  generateProvenance,
}
deps: upgrade npm to 9.5.0 PR-URL: https://github.com/nodejs/node/pull/46673 Reviewed-By: Luke Karrys <luke@lukekarrys.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ruy Adorno <ruyadorno@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> 2023-02-18 17:09:39 -05:00			`const { sigstore } = require('sigstore')`

			`const INTOTO_PAYLOAD_TYPE = 'application/vnd.in-toto+json'`
			`const INTOTO_STATEMENT_TYPE = 'https://in-toto.io/Statement/v0.1'`
			`const SLSA_PREDICATE_TYPE = 'https://slsa.dev/provenance/v0.2'`

deps: upgrade npm to 9.6.2 PR-URL: https://github.com/nodejs/node/pull/47108 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2023-03-15 17:39:48 +00:00			`const BUILDER_ID = 'https://github.com/actions/runner'`
deps: upgrade npm to 9.5.0 PR-URL: https://github.com/nodejs/node/pull/46673 Reviewed-By: Luke Karrys <luke@lukekarrys.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ruy Adorno <ruyadorno@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> 2023-02-18 17:09:39 -05:00			`const BUILD_TYPE_PREFIX = 'https://github.com/npm/cli/gha'`
deps: upgrade npm to 9.6.2 PR-URL: https://github.com/nodejs/node/pull/47108 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2023-03-15 17:39:48 +00:00			`const BUILD_TYPE_VERSION = 'v2'`
deps: upgrade npm to 9.5.0 PR-URL: https://github.com/nodejs/node/pull/46673 Reviewed-By: Luke Karrys <luke@lukekarrys.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ruy Adorno <ruyadorno@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> 2023-02-18 17:09:39 -05:00
			`const generateProvenance = async (subject, opts) => {`
			`const { env } = process`
deps: upgrade npm to 9.6.2 PR-URL: https://github.com/nodejs/node/pull/47108 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2023-03-15 17:39:48 +00:00			`/* istanbul ignore next - not covering missing env var case */`
			`const [workflowPath] = (env.GITHUB_WORKFLOW_REF \|\| '')`
			`.replace(env.GITHUB_REPOSITORY + '/', '')`
			`.split('@')`
deps: upgrade npm to 9.5.0 PR-URL: https://github.com/nodejs/node/pull/46673 Reviewed-By: Luke Karrys <luke@lukekarrys.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ruy Adorno <ruyadorno@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> 2023-02-18 17:09:39 -05:00			`const payload = {`
			`_type: INTOTO_STATEMENT_TYPE,`
			`subject,`
			`predicateType: SLSA_PREDICATE_TYPE,`
			`predicate: {`
deps: upgrade npm to 9.6.2 PR-URL: https://github.com/nodejs/node/pull/47108 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2023-03-15 17:39:48 +00:00			buildType: `${BUILD_TYPE_PREFIX}/${BUILD_TYPE_VERSION}`,
			`builder: { id: BUILDER_ID },`
deps: upgrade npm to 9.5.0 PR-URL: https://github.com/nodejs/node/pull/46673 Reviewed-By: Luke Karrys <luke@lukekarrys.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ruy Adorno <ruyadorno@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> 2023-02-18 17:09:39 -05:00			`invocation: {`
			`configSource: {`
			uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
			`digest: {`
			`sha1: env.GITHUB_SHA,`
			`},`
deps: upgrade npm to 9.6.2 PR-URL: https://github.com/nodejs/node/pull/47108 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2023-03-15 17:39:48 +00:00			`entryPoint: workflowPath,`
deps: upgrade npm to 9.5.0 PR-URL: https://github.com/nodejs/node/pull/46673 Reviewed-By: Luke Karrys <luke@lukekarrys.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ruy Adorno <ruyadorno@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> 2023-02-18 17:09:39 -05:00			`},`
			`parameters: {},`
			`environment: {`
			`GITHUB_EVENT_NAME: env.GITHUB_EVENT_NAME,`
			`GITHUB_REF: env.GITHUB_REF,`
			`GITHUB_REPOSITORY: env.GITHUB_REPOSITORY,`
			`GITHUB_REPOSITORY_ID: env.GITHUB_REPOSITORY_ID,`
			`GITHUB_REPOSITORY_OWNER_ID: env.GITHUB_REPOSITORY_OWNER_ID,`
			`GITHUB_RUN_ATTEMPT: env.GITHUB_RUN_ATTEMPT,`
			`GITHUB_RUN_ID: env.GITHUB_RUN_ID,`
			`GITHUB_SHA: env.GITHUB_SHA,`
			`GITHUB_WORKFLOW_REF: env.GITHUB_WORKFLOW_REF,`
			`GITHUB_WORKFLOW_SHA: env.GITHUB_WORKFLOW_SHA,`
			`},`
			`},`
			`metadata: {`
			buildInvocationId: `${env.GITHUB_RUN_ID}-${env.GITHUB_RUN_ATTEMPT}`,
			`completeness: {`
			`parameters: false,`
			`environment: false,`
			`materials: false,`
			`},`
			`reproducible: false,`
			`},`
			`materials: [`
			`{`
deps: upgrade npm to 9.6.2 PR-URL: https://github.com/nodejs/node/pull/47108 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> 2023-03-15 17:39:48 +00:00			uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
deps: upgrade npm to 9.5.0 PR-URL: https://github.com/nodejs/node/pull/46673 Reviewed-By: Luke Karrys <luke@lukekarrys.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Ruy Adorno <ruyadorno@google.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Myles Borins <myles.borins@gmail.com> 2023-02-18 17:09:39 -05:00			`digest: {`
			`sha1: env.GITHUB_SHA,`
			`},`
			`},`
			`],`
			`},`
			`}`

			`return sigstore.attest(Buffer.from(JSON.stringify(payload)), INTOTO_PAYLOAD_TYPE, opts)`
			`}`

			`module.exports = {`
			`generateProvenance,`
			`}`