ember.js icon indicating copy to clipboard operation
ember.js copied to clipboard
verified publisher icon emberjs

feat: Generate SLSA Build L3 provenance

Open ianlewis opened this issue 2 years ago • 2 comments

Fixes #20474

This updates ci.yml to build the ember-source package using the SLSA Node.js Builder.

A new build job was added to build the package tgz. The deploy-tag, publish, and publish-alpha jobs will download the tgz and upload them to their respective destinations (npm registry, or S3) rather than building the tgz independently. This allows the package tarball be identical byte-for-byte and thus verifiable no matter where it is retrieved from.

ianlewis avatar Jun 20 '23 06:06 ianlewis

Hey @ianlewis, appreciate the PR! There was a brief discussion of this recently on an internal channel, apparently we’re quite interested in this type of provenance work, but doing this as-is will break things for us. @kategengler aims to be in touch, she’s just had a few other things going on … 🙂 Thanks!

acorncom avatar Aug 04 '23 23:08 acorncom

Hey @ianlewis, appreciate the PR! There was a brief discussion of this recently on an internal channel, apparently we’re quite interested in this type of provenance work, but doing this as-is will break things for us. @kategengler aims to be in touch, she’s just had a few other things going on … 🙂 Thanks!

Thanks for the update. I'm curious as to what would break things and if there is anything we can do to make it easier on our side. Looking forward to hearing from @kategengler!

ianlewis avatar Aug 08 '23 23:08 ianlewis