@savvy-web/silk-effects 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@savvy-web/silk-effects",
3
- "version": "1.2.0",
3
+ "version": "1.3.0",
4
4
  "private": false,
5
5
  "description": "Shared Effect library for Silk Suite conventions",
6
6
  "homepage": "https://github.com/savvy-web/systems/tree/main/packages/silk-effects",
@@ -16,6 +16,26 @@ const DEFAULT_REGISTRIES = {
16
16
  github: "https://npm.pkg.github.com"
17
17
  };
18
18
  /**
19
+ * Whether a registry endpoint participates in npm-style SLSA provenance.
20
+ *
21
+ * @remarks
22
+ * The npm public registry and GitHub Packages both accept provenance attestations through the
23
+ * Sigstore/OIDC trusted-publishing flow, so a {@link PublishTarget} bound to either is marked
24
+ * `provenance: true` by default — this is what gates the release action's attestation step. JSR
25
+ * and custom registries do not participate and resolve to `false`. Matching is endpoint-based
26
+ * (not target-key based) so a custom key pointed at one of these registries still opts in.
27
+ */
28
+ const provenanceForRegistry = (registry) => {
29
+ const normalized = /^[a-z]+:\/\//i.test(registry) ? registry : `https://${registry}`;
30
+ let hostname;
31
+ try {
32
+ hostname = new URL(normalized).hostname.toLowerCase();
33
+ } catch {
34
+ return false;
35
+ }
36
+ return hostname === "registry.npmjs.org" || hostname === "npm.pkg.github.com";
37
+ };
38
+ /**
19
39
  * Silk publishability rules over `workspaces-effect`'s {@link PublishTarget}.
20
40
  *
21
41
  * @remarks
@@ -57,28 +77,41 @@ var SilkPublishability = class {
57
77
  name: t.name,
58
78
  registry: t.registry,
59
79
  directory: dirByGroup.get(t.group) ?? `dist/prod/${t.group}/pkg`,
60
- access
80
+ access,
81
+ provenance: provenanceForRegistry(t.registry)
61
82
  }));
62
83
  }
63
- return Object.keys(targets).map((id) => new PublishTarget({
84
+ return Object.entries(targets).map(([id, target]) => {
85
+ const registry = typeof target === "object" && target !== null && typeof target.registry === "string" ? target.registry : DEFAULT_REGISTRIES[id] ?? pc?.registry ?? NPM_DEFAULT;
86
+ return new PublishTarget({
87
+ name: pkgName,
88
+ registry,
89
+ directory: `dist/prod/${id}/pkg`,
90
+ access,
91
+ provenance: provenanceForRegistry(registry)
92
+ });
93
+ });
94
+ }
95
+ if (pc && (pc.access === "public" || pc.access === "restricted")) {
96
+ const registry = pc.registry ?? NPM_DEFAULT;
97
+ return [new PublishTarget({
98
+ name: pkgName,
99
+ registry,
100
+ directory: pc.directory ?? ".",
101
+ access: pc.access,
102
+ provenance: provenanceForRegistry(registry)
103
+ })];
104
+ }
105
+ if (raw.private !== true) {
106
+ const registry = pc?.registry ?? NPM_DEFAULT;
107
+ return [new PublishTarget({
64
108
  name: pkgName,
65
- registry: DEFAULT_REGISTRIES[id] ?? pc?.registry ?? NPM_DEFAULT,
66
- directory: `dist/prod/${id}/pkg`,
67
- access
68
- }));
109
+ registry,
110
+ directory: pc?.directory ?? ".",
111
+ access: pc?.access ?? "public",
112
+ provenance: provenanceForRegistry(registry)
113
+ })];
69
114
  }
70
- if (pc && (pc.access === "public" || pc.access === "restricted")) return [new PublishTarget({
71
- name: pkgName,
72
- registry: pc.registry ?? NPM_DEFAULT,
73
- directory: pc.directory ?? ".",
74
- access: pc.access
75
- })];
76
- if (raw.private !== true) return [new PublishTarget({
77
- name: pkgName,
78
- registry: pc?.registry ?? NPM_DEFAULT,
79
- directory: pc?.directory ?? ".",
80
- access: pc?.access ?? "public"
81
- })];
82
115
  return [];
83
116
  }
84
117
  /**