opentelemetry-js icon indicating copy to clipboard operation
opentelemetry-js copied to clipboard

Published 20 hours ago verified publisher icon open-telemetry

Implement npm provenance statements for released artifacts

Open martinkuba opened this issue 1 year ago • 1 comments
trafficstars

Is your feature request related to a problem? Please describe.

npm has a provenance statements feature, which makes it possible for users to verify the authenticity of a published package (where/how it was built).

Adding this to our release process would benefit users who are conscious about security and want to verify their supply-chain dependencies.

Describe the solution you'd like

To publish a signed provenance statement to npm along with a release, the package must be published from a supported CI system like Github Actions.

This work would involve updating the release process, so that publishing to npm is done from a Github Actions workflow. This workflow would run npm publish --provenance.

Additional context

I have opened an issue in the Security SIG asking for a general guidance for language SDKs https://github.com/open-telemetry/sig-security/issues/48

martinkuba avatar Jun 20 '24 18:06 martinkuba