@savvy-web/silk-effects 1.2.0 → 1.3.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/services/SilkPublishability.js +51 -18
package/package.json
CHANGED
|
@@ -16,6 +16,26 @@ const DEFAULT_REGISTRIES = {
|
|
|
16
16
|
github: "https://npm.pkg.github.com"
|
|
17
17
|
};
|
|
18
18
|
/**
|
|
19
|
+
* Whether a registry endpoint participates in npm-style SLSA provenance.
|
|
20
|
+
*
|
|
21
|
+
* @remarks
|
|
22
|
+
* The npm public registry and GitHub Packages both accept provenance attestations through the
|
|
23
|
+
* Sigstore/OIDC trusted-publishing flow, so a {@link PublishTarget} bound to either is marked
|
|
24
|
+
* `provenance: true` by default — this is what gates the release action's attestation step. JSR
|
|
25
|
+
* and custom registries do not participate and resolve to `false`. Matching is endpoint-based
|
|
26
|
+
* (not target-key based) so a custom key pointed at one of these registries still opts in.
|
|
27
|
+
*/
|
|
28
|
+
const provenanceForRegistry = (registry) => {
|
|
29
|
+
const normalized = /^[a-z]+:\/\//i.test(registry) ? registry : `https://${registry}`;
|
|
30
|
+
let hostname;
|
|
31
|
+
try {
|
|
32
|
+
hostname = new URL(normalized).hostname.toLowerCase();
|
|
33
|
+
} catch {
|
|
34
|
+
return false;
|
|
35
|
+
}
|
|
36
|
+
return hostname === "registry.npmjs.org" || hostname === "npm.pkg.github.com";
|
|
37
|
+
};
|
|
38
|
+
/**
|
|
19
39
|
* Silk publishability rules over `workspaces-effect`'s {@link PublishTarget}.
|
|
20
40
|
*
|
|
21
41
|
* @remarks
|
|
@@ -57,28 +77,41 @@ var SilkPublishability = class {
|
|
|
57
77
|
name: t.name,
|
|
58
78
|
registry: t.registry,
|
|
59
79
|
directory: dirByGroup.get(t.group) ?? `dist/prod/${t.group}/pkg`,
|
|
60
|
-
access
|
|
80
|
+
access,
|
|
81
|
+
provenance: provenanceForRegistry(t.registry)
|
|
61
82
|
}));
|
|
62
83
|
}
|
|
63
|
-
return Object.
|
|
84
|
+
return Object.entries(targets).map(([id, target]) => {
|
|
85
|
+
const registry = typeof target === "object" && target !== null && typeof target.registry === "string" ? target.registry : DEFAULT_REGISTRIES[id] ?? pc?.registry ?? NPM_DEFAULT;
|
|
86
|
+
return new PublishTarget({
|
|
87
|
+
name: pkgName,
|
|
88
|
+
registry,
|
|
89
|
+
directory: `dist/prod/${id}/pkg`,
|
|
90
|
+
access,
|
|
91
|
+
provenance: provenanceForRegistry(registry)
|
|
92
|
+
});
|
|
93
|
+
});
|
|
94
|
+
}
|
|
95
|
+
if (pc && (pc.access === "public" || pc.access === "restricted")) {
|
|
96
|
+
const registry = pc.registry ?? NPM_DEFAULT;
|
|
97
|
+
return [new PublishTarget({
|
|
98
|
+
name: pkgName,
|
|
99
|
+
registry,
|
|
100
|
+
directory: pc.directory ?? ".",
|
|
101
|
+
access: pc.access,
|
|
102
|
+
provenance: provenanceForRegistry(registry)
|
|
103
|
+
})];
|
|
104
|
+
}
|
|
105
|
+
if (raw.private !== true) {
|
|
106
|
+
const registry = pc?.registry ?? NPM_DEFAULT;
|
|
107
|
+
return [new PublishTarget({
|
|
64
108
|
name: pkgName,
|
|
65
|
-
registry
|
|
66
|
-
directory:
|
|
67
|
-
access
|
|
68
|
-
|
|
109
|
+
registry,
|
|
110
|
+
directory: pc?.directory ?? ".",
|
|
111
|
+
access: pc?.access ?? "public",
|
|
112
|
+
provenance: provenanceForRegistry(registry)
|
|
113
|
+
})];
|
|
69
114
|
}
|
|
70
|
-
if (pc && (pc.access === "public" || pc.access === "restricted")) return [new PublishTarget({
|
|
71
|
-
name: pkgName,
|
|
72
|
-
registry: pc.registry ?? NPM_DEFAULT,
|
|
73
|
-
directory: pc.directory ?? ".",
|
|
74
|
-
access: pc.access
|
|
75
|
-
})];
|
|
76
|
-
if (raw.private !== true) return [new PublishTarget({
|
|
77
|
-
name: pkgName,
|
|
78
|
-
registry: pc?.registry ?? NPM_DEFAULT,
|
|
79
|
-
directory: pc?.directory ?? ".",
|
|
80
|
-
access: pc?.access ?? "public"
|
|
81
|
-
})];
|
|
82
115
|
return [];
|
|
83
116
|
}
|
|
84
117
|
/**
|