security: generate SLSA reports for each release #194
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Implements comprehensive SLSA (Supply chain Levels for Software Artifacts) provenance generation to provide cryptographic verification of build integrity and origin. Changes: - Add comprehensive SLSA documentation (.github/SLSA.md) - Explains what SLSA is and why it matters - Provides verification instructions for users - Documents troubleshooting steps - Lists security benefits and limitations - Update auto-release.yml workflow - Add id-token and attestations write permissions - Generate build attestation using actions/attest-build-provenance@v2 - Add --provenance flag to NPM publish commands - Add --provenance flag to GitHub Packages publish - Update release.yml workflow - Add SLSA permissions to test and publish jobs - Generate build attestation after build step - Add --provenance flag to NPM publish commands - Add --provenance flag to GitHub Packages publish - Update CLAUDE.md documentation - Add PR #7 section documenting SLSA implementation - Update summary statistics - Mark SLSA as completed in recommendations Benefits: ✅ SLSA Build Level 3 certification ✅ Cryptographically signed build provenance ✅ Verifiable proof of build origin ✅ Protection against supply chain attacks ✅ NPM registry verification support ✅ GitHub attestations for all releases Users can now verify packages with: npm audit signatures Closes #[issue-number-if-any]
ibrahimcesar
added
documentation
Contributor
size-limit report 📦
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Implements comprehensive SLSA (Supply chain Levels for Software Artifacts) provenance generation to provide cryptographic verification of build integrity and origin.
Changes:
Add comprehensive SLSA documentation (.github/SLSA.md)
Update auto-release.yml workflow
Update release.yml workflow
Update CLAUDE.md documentation
Benefits:
✅ SLSA Build Level 3 certification
✅ Cryptographically signed build provenance
✅ Verifiable proof of build origin
✅ Protection against supply chain attacks
✅ NPM registry verification support
✅ GitHub attestations for all releases
Users can now verify packages with: npm audit signatures