[Feature]: Provenance Attestation (Security) #33242
Labels
Area: Build System
Fluent UI react-components (v9)
Needs: Discussion
Needs: Investigation
The Shield Dev should investigate this issue and propose a fix
Type: Feature
Comments
elliot-huffman
changed the title
|
Thanks for filling this in ! We are aware about this and long term wanna move to GitHub for releases in order to get provenance but we are blocked by internal process atm. |
Hotell
added
Needs: Discussion
Needs: Investigation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Area
React Components (@fluentui/react-components)
Describe the feature that you would like added
This allows you to publicly establish where a package was built and who published a package, which can increase supply-chain security for your packages.
Publishing this package using only GitHub actions and enable Provenance to enable the ability cryptographically to attest that the package hasn't been tampered with during build, publish, and transport.
When provenance support is enabled, attestations can be validated via
npm audit signatures.Additional context
Official Docs:
https://docs.npmjs.com/generating-provenance-statements
Extended discussion on the topic:
expressjs/discussions#268
Have you discussed this feature with our team
No response
Validations
Priority
Medium
The text was updated successfully, but these errors were encountered: