@dc-bytedance/oidc-rehearsal 0.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +17 -0
- package/package.json +16 -0
package/README.md
ADDED
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
# oidc-rehearsal
|
|
2
|
+
|
|
3
|
+
Scratch repo to rehearse npm **Trusted Publishing (OIDC)** + provenance end-to-end.
|
|
4
|
+
|
|
5
|
+
What this proves: a published npm package whose credentials were minted at runtime
|
|
6
|
+
by GitHub OIDC (no long-lived `NPM_TOKEN`) and that carries a public provenance
|
|
7
|
+
attestation.
|
|
8
|
+
|
|
9
|
+
Flow:
|
|
10
|
+
1. Bootstrap-publish `0.0.1` once with a normal npm login (trusted publishing can't
|
|
11
|
+
create a brand-new package's first version).
|
|
12
|
+
2. Configure the Trusted Publisher on npmjs.com (web UI only): this repo + `publish.yml`.
|
|
13
|
+
3. Run the **publish** workflow (Actions tab → Run workflow). It publishes with
|
|
14
|
+
`--provenance` and no token.
|
|
15
|
+
4. Verify: `npm view <pkg>@<ver> dist.attestations`, provenance badge, `npm audit signatures`.
|
|
16
|
+
|
|
17
|
+
Throwaway repo — safe to delete after the rehearsal.
|
package/package.json
ADDED
|
@@ -0,0 +1,16 @@
|
|
|
1
|
+
{
|
|
2
|
+
"name": "@dc-bytedance/oidc-rehearsal",
|
|
3
|
+
"version": "0.0.1",
|
|
4
|
+
"description": "Scratch package to rehearse npm OIDC trusted publishing + provenance.",
|
|
5
|
+
"license": "MIT",
|
|
6
|
+
"repository": {
|
|
7
|
+
"type": "git",
|
|
8
|
+
"url": "git+https://github.com/dc-bytedance/oidc-rehearsal.git"
|
|
9
|
+
},
|
|
10
|
+
"files": [
|
|
11
|
+
"README.md"
|
|
12
|
+
],
|
|
13
|
+
"publishConfig": {
|
|
14
|
+
"access": "public"
|
|
15
|
+
}
|
|
16
|
+
}
|