feat: add --provenance flag to yarn npm publish

Author: GauBen

.pnp.cjs

@@ -0,0 +1,34 @@
+releases:
+  "@yarnpkg/cli": minor
+  "@yarnpkg/core": minor
+  "@yarnpkg/plugin-npm": minor
+  "@yarnpkg/plugin-npm-cli": minor
+
+declined:
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/plugin-constraints"
+  - "@yarnpkg/plugin-dlx"
+  - "@yarnpkg/plugin-essentials"
+  - "@yarnpkg/plugin-exec"
+  - "@yarnpkg/plugin-file"
+  - "@yarnpkg/plugin-git"
+  - "@yarnpkg/plugin-github"
+  - "@yarnpkg/plugin-http"
+  - "@yarnpkg/plugin-init"
+  - "@yarnpkg/plugin-interactive-tools"
+  - "@yarnpkg/plugin-link"
+  - "@yarnpkg/plugin-nm"
+  - "@yarnpkg/plugin-pack"
+  - "@yarnpkg/plugin-patch"
+  - "@yarnpkg/plugin-pnp"
+  - "@yarnpkg/plugin-pnpm"
+  - "@yarnpkg/plugin-stage"
+  - "@yarnpkg/plugin-typescript"
+  - "@yarnpkg/plugin-version"
+  - "@yarnpkg/plugin-workspace-tools"
+  - "@yarnpkg/builder"
+  - "@yarnpkg/doctor"
+  - "@yarnpkg/extensions"
+  - "@yarnpkg/nm"
+  - "@yarnpkg/pnpify"
+  - "@yarnpkg/sdks"

.yarn/cache/@sigstore-bundle-npm-3.1.0-93e02e23c5-21b246ec63.zip

@@ -28,7 +28,9 @@
   },
   "resolutions": {
     "ink@^3.2.0": "patch:ink@npm%3A3.2.0#~/.yarn/patches/ink-npm-3.2.0-2f1df5b094.patch",
-    "yoga-layout-prebuilt": "patch:[email protected]#./.yarn/patches/yoga-layout-prebuilt.patch"
+    "yoga-layout-prebuilt": "patch:[email protected]#./.yarn/patches/yoga-layout-prebuilt.patch",
+    "make-fetch-happen@npm:^14.0.1": "portal:packages/make-fetch-smaller",
+    "make-fetch-happen@npm:^14.0.2": "portal:packages/make-fetch-smaller"
   },
   "dependenciesMeta": {
     "core-js": {

.yarn/cache/@sigstore-core-npm-2.0.0-6546ce777b-ec1deae943.zip

@@ -444,3 +444,44 @@ Our research showed that even our power users aren't always aware of some of the
 When enabled, the `enableOfflineMode` flag tells Yarn to ignore remote registries and only pull data from its internal caches. This is a handy mode when working from within network-constrained environments such as planes or trains.
 
 To leave the offline work mode, check how it got enabled by running `yarn config --why`. If `<environment>`, run `unset YARN_ENABLE_OFFLINE_MODE` in your terminal. Otherwise, remove the `enableOfflineMode` flag from the relevant `.yarnrc.yml` files.
+
+## YN0091 - `INVALID_PROVENANCE_ENVIRONMENT`
+
+This error is triggered when the [provenance statement](https://docs.npmjs.com/generating-provenance-statements) cannot be generated in the current environment. GitHub Actions and GitLab CI are the only supported environments at the moment, and this error is triggered when either running in another environment or when credentials are missing.
+
+On GitHub Actions, you need to grant the `write-id` permission to your workflow. Here is an example of how to do that:
+
+```yaml
+name: Publish Package to npmjs
+on:
+  push:
+    branches: [main]
+jobs:
+  publish:
+    runs-on: ubuntu-latest # Must run on GitHub-hosted runners
+    permissions:
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - run: npm install -g corepack && corepack enable
+      - run: yarn && yarn build
+      - run: yarn config set npmAuthToken '${{ secrets.NPM_TOKEN }}'
+      - run: yarn publish --provenance --tolerate-republish
+```
+
+On GitLab CI, you need to produce a `SIGSTORE_ID_TOKEN` for your workflow. Here is an example of how to do that:
+
+```yaml
+publish:
+  image: 'node:22'
+  rules:
+    - if: '$CI_COMMIT_BRANCH == "main"'
+  id_tokens:
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
+  script:
+    - npm install -g corepack && corepack enable
+    - yarn && yarn build
+    - yarn config set npmAuthToken $NPM_TOKEN
+    - yarn publish --provenance --tolerate-republish
+```

.yarn/cache/@sigstore-protobuf-specs-npm-0.4.0-2d7d3b28ee-b267b24c8a.zip

@@ -0,0 +1,5 @@
+# make-fetch-smaller
+
+This package is a drop-in replacement for `make-fetch-happen`, but uses Node.js native `fetch` instead of pulling [79 dependencies.](https://node-modules.dev/graph#install=make-fetch-happen)
+
+It is used by the [sigstore](https://www.npmjs.com/package/sigstore) package and its dependencies to produce the provenance statement for packages published to the npm registry with `yarn npm publish --provenance`.

.yarn/cache/@sigstore-sign-npm-3.1.0-c852831d71-e0ce0aa52b.zip

@@ -0,0 +1,2 @@
+// eslint-disable-next-line
+module.exports = fetch;

.yarn/cache/@sigstore-tuf-npm-3.1.0-dcdff5411e-7040aaa8b0.zip

@@ -0,0 +1,14 @@
+{
+  "name": "make-fetch-smaller",
+  "private": true,
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/yarnpkg/berry.git",
+    "directory": "packages/make-fetch-smaller"
+  },
+  "license": "BSD-2-Clause",
+  "type": "commonjs",
+  "engines": {
+    "node": ">=18.12.0"
+  }
+}

.yarn/cache/@sigstore-verify-npm-2.1.0-0174fd0384-bb0a8472c8.zip

@@ -42,6 +42,10 @@ export default class NpmPublishCommand extends BaseCommand {
     description: `The OTP token to use with the command`,
   });
 
+  provenance = Option.Boolean(`--provenance`, false, {
+    description: `Generate provenance for the package. Only available in GitHub Actions and GitLab CI.`,
+  });
+
   async execute() {
     const configuration = await Configuration.find(this.context.cwd, this.context.plugins);
     const {project, workspace} = await Project.find(configuration, this.context.cwd);
@@ -107,6 +111,7 @@ export default class NpmPublishCommand extends BaseCommand {
           tag: this.tag,
           registry,
           gitHead,
+          provenance: this.provenance,
         });
 
         await npmHttpUtils.put(npmHttpUtils.getIdentUrl(ident), body, {

.yarn/cache/@tufjs-canonical-json-npm-2.0.0-46a22aa444-cc719a1d0d.zip

@@ -5,3 +5,7 @@ This plugin adds support for downloading packages from the npm registry.
 ## Install
 
 This plugin is included by default in Yarn.
+
+## Attribution
+
+Provenance code adapted from [npm/cli](https://github.com/npm/cli/blob/04f53ce13201b460123067d7153f1681342548e1/workspaces/libnpmpublish/lib/provenance.js), under [ISC license](https://github.com/npm/cli/blob/04f53ce13201b460123067d7153f1681342548e1/workspaces/libnpmpublish/LICENSE).

.yarn/cache/@tufjs-models-npm-3.0.1-29f012ba2d-00636238b2.zip

@@ -12,7 +12,8 @@
     "enquirer": "^2.3.6",
     "lodash": "^4.17.15",
     "semver": "^7.1.2",
-    "ssri": "^6.0.1",
+    "sigstore": "^3.1.0",
+    "ssri": "^12.0.0",
     "tslib": "^2.4.0"
   },
   "peerDependencies": {
@@ -22,7 +23,7 @@
   "devDependencies": {
     "@types/lodash": "^4.14.136",
     "@types/semver": "^7.1.0",
-    "@types/ssri": "^6.0.1",
+    "@types/ssri": "^7.1.5",
     "@yarnpkg/core": "workspace:^",
     "@yarnpkg/plugin-pack": "workspace:^"
   },

.yarn/cache/@types-ssri-npm-6.0.1-da6c21e6d2-1917e8c018.zip

@@ -0,0 +1,220 @@
+/**
+ * This code is adapted from the npm project, under ISC License.
+ *
+ * Original source:
+ * https://github.com/npm/cli/blob/04f53ce13201b460123067d7153f1681342548e1/workspaces/libnpmpublish/lib/provenance.js
+ */
+
+import {MessageName, ReportError} from '@yarnpkg/core';
+import * as sigstore              from 'sigstore';
+
+const {env} = process;
+
+const INTOTO_PAYLOAD_TYPE = `application/vnd.in-toto+json`;
+const INTOTO_STATEMENT_V01_TYPE = `https://in-toto.io/Statement/v0.1`;
+const INTOTO_STATEMENT_V1_TYPE = `https://in-toto.io/Statement/v1`;
+const SLSA_PREDICATE_V02_TYPE = `https://slsa.dev/provenance/v0.2`;
+const SLSA_PREDICATE_V1_TYPE = `https://slsa.dev/provenance/v1`;
+
+const GITHUB_BUILDER_ID_PREFIX = `https://github.com/actions/runner`;
+const GITHUB_BUILD_TYPE = `https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1`;
+
+const GITLAB_BUILD_TYPE_PREFIX = `https://github.com/npm/cli/gitlab`;
+const GITLAB_BUILD_TYPE_VERSION = `v0alpha1`;
+
+export const generateProvenance = async (subject: any, opts?: sigstore.SignOptions) => {
+  let payload: unknown;
+  if (env.GITHUB_ACTIONS) {
+    if (!env.ACTIONS_ID_TOKEN_REQUEST_URL) {
+      throw new ReportError(
+        MessageName.INVALID_PROVENANCE_ENVIRONMENT,
+        `Provenance generation in GitHub Actions requires "write" access to the "id-token" permission`,
+      );
+    }
+
+    const relativeRef = (env.GITHUB_WORKFLOW_REF || ``).replace(`${env.GITHUB_REPOSITORY}/`, ``);
+    const delimiterIndex = relativeRef.indexOf(`@`);
+    const workflowPath = relativeRef.slice(0, delimiterIndex);
+    const workflowRef = relativeRef.slice(delimiterIndex + 1);
+
+    payload = {
+      _type: INTOTO_STATEMENT_V1_TYPE,
+      subject,
+      predicateType: SLSA_PREDICATE_V1_TYPE,
+      predicate: {
+        buildDefinition: {
+          buildType: GITHUB_BUILD_TYPE,
+          externalParameters: {
+            workflow: {
+              ref: workflowRef,
+              repository: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}`,
+              path: workflowPath,
+            },
+          },
+          internalParameters: {
+            github: {
+              event_name: env.GITHUB_EVENT_NAME,
+              repository_id: env.GITHUB_REPOSITORY_ID,
+              repository_owner_id: env.GITHUB_REPOSITORY_OWNER_ID,
+            },
+          },
+          resolvedDependencies: [
+            {
+              uri: `git+${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}@${env.GITHUB_REF}`,
+              digest: {
+                gitCommit: env.GITHUB_SHA,
+              },
+            },
+          ],
+        },
+        runDetails: {
+          builder: {id: `${GITHUB_BUILDER_ID_PREFIX}/${env.RUNNER_ENVIRONMENT}`},
+          metadata: {
+            invocationId: `${env.GITHUB_SERVER_URL}/${env.GITHUB_REPOSITORY}/actions/runs/${env.GITHUB_RUN_ID}/attempts/${env.GITHUB_RUN_ATTEMPT}`,
+          },
+        },
+      },
+    };
+  } else if (env.GITLAB_CI) {
+    if (!env.SIGSTORE_ID_TOKEN) {
+      throw new ReportError(
+        MessageName.INVALID_PROVENANCE_ENVIRONMENT,
+        `Provenance generation in GitLab CI requires "SIGSTORE_ID_TOKEN" with "sigstore" audience to be present in "id_tokens". For more info see:\nhttps://docs.gitlab.com/ee/ci/secrets/id_token_authentication.html`,
+      );
+    }
+
+    payload = {
+      _type: INTOTO_STATEMENT_V01_TYPE,
+      subject,
+      predicateType: SLSA_PREDICATE_V02_TYPE,
+      predicate: {
+        buildType: `${GITLAB_BUILD_TYPE_PREFIX}/${GITLAB_BUILD_TYPE_VERSION}`,
+        builder: {id: `${env.CI_PROJECT_URL}/-/runners/${env.CI_RUNNER_ID}`},
+        invocation: {
+          configSource: {
+            uri: `git+${env.CI_PROJECT_URL}`,
+            digest: {
+              sha1: env.CI_COMMIT_SHA,
+            },
+            entryPoint: env.CI_JOB_NAME,
+          },
+          parameters: {
+            CI: env.CI,
+            CI_API_GRAPHQL_URL: env.CI_API_GRAPHQL_URL,
+            CI_API_V4_URL: env.CI_API_V4_URL,
+            CI_BUILD_BEFORE_SHA: env.CI_BUILD_BEFORE_SHA,
+            CI_BUILD_ID: env.CI_BUILD_ID,
+            CI_BUILD_NAME: env.CI_BUILD_NAME,
+            CI_BUILD_REF: env.CI_BUILD_REF,
+            CI_BUILD_REF_NAME: env.CI_BUILD_REF_NAME,
+            CI_BUILD_REF_SLUG: env.CI_BUILD_REF_SLUG,
+            CI_BUILD_STAGE: env.CI_BUILD_STAGE,
+            CI_COMMIT_BEFORE_SHA: env.CI_COMMIT_BEFORE_SHA,
+            CI_COMMIT_BRANCH: env.CI_COMMIT_BRANCH,
+            CI_COMMIT_REF_NAME: env.CI_COMMIT_REF_NAME,
+            CI_COMMIT_REF_PROTECTED: env.CI_COMMIT_REF_PROTECTED,
+            CI_COMMIT_REF_SLUG: env.CI_COMMIT_REF_SLUG,
+            CI_COMMIT_SHA: env.CI_COMMIT_SHA,
+            CI_COMMIT_SHORT_SHA: env.CI_COMMIT_SHORT_SHA,
+            CI_COMMIT_TIMESTAMP: env.CI_COMMIT_TIMESTAMP,
+            CI_COMMIT_TITLE: env.CI_COMMIT_TITLE,
+            CI_CONFIG_PATH: env.CI_CONFIG_PATH,
+            CI_DEFAULT_BRANCH: env.CI_DEFAULT_BRANCH,
+            CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX:
+              env.CI_DEPENDENCY_PROXY_DIRECT_GROUP_IMAGE_PREFIX,
+            CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX: env.CI_DEPENDENCY_PROXY_GROUP_IMAGE_PREFIX,
+            CI_DEPENDENCY_PROXY_SERVER: env.CI_DEPENDENCY_PROXY_SERVER,
+            CI_DEPENDENCY_PROXY_USER: env.CI_DEPENDENCY_PROXY_USER,
+            CI_JOB_ID: env.CI_JOB_ID,
+            CI_JOB_NAME: env.CI_JOB_NAME,
+            CI_JOB_NAME_SLUG: env.CI_JOB_NAME_SLUG,
+            CI_JOB_STAGE: env.CI_JOB_STAGE,
+            CI_JOB_STARTED_AT: env.CI_JOB_STARTED_AT,
+            CI_JOB_URL: env.CI_JOB_URL,
+            CI_NODE_TOTAL: env.CI_NODE_TOTAL,
+            CI_PAGES_DOMAIN: env.CI_PAGES_DOMAIN,
+            CI_PAGES_URL: env.CI_PAGES_URL,
+            CI_PIPELINE_CREATED_AT: env.CI_PIPELINE_CREATED_AT,
+            CI_PIPELINE_ID: env.CI_PIPELINE_ID,
+            CI_PIPELINE_IID: env.CI_PIPELINE_IID,
+            CI_PIPELINE_SOURCE: env.CI_PIPELINE_SOURCE,
+            CI_PIPELINE_URL: env.CI_PIPELINE_URL,
+            CI_PROJECT_CLASSIFICATION_LABEL: env.CI_PROJECT_CLASSIFICATION_LABEL,
+            CI_PROJECT_DESCRIPTION: env.CI_PROJECT_DESCRIPTION,
+            CI_PROJECT_ID: env.CI_PROJECT_ID,
+            CI_PROJECT_NAME: env.CI_PROJECT_NAME,
+            CI_PROJECT_NAMESPACE: env.CI_PROJECT_NAMESPACE,
+            CI_PROJECT_NAMESPACE_ID: env.CI_PROJECT_NAMESPACE_ID,
+            CI_PROJECT_PATH: env.CI_PROJECT_PATH,
+            CI_PROJECT_PATH_SLUG: env.CI_PROJECT_PATH_SLUG,
+            CI_PROJECT_REPOSITORY_LANGUAGES: env.CI_PROJECT_REPOSITORY_LANGUAGES,
+            CI_PROJECT_ROOT_NAMESPACE: env.CI_PROJECT_ROOT_NAMESPACE,
+            CI_PROJECT_TITLE: env.CI_PROJECT_TITLE,
+            CI_PROJECT_URL: env.CI_PROJECT_URL,
+            CI_PROJECT_VISIBILITY: env.CI_PROJECT_VISIBILITY,
+            CI_REGISTRY: env.CI_REGISTRY,
+            CI_REGISTRY_IMAGE: env.CI_REGISTRY_IMAGE,
+            CI_REGISTRY_USER: env.CI_REGISTRY_USER,
+            CI_RUNNER_DESCRIPTION: env.CI_RUNNER_DESCRIPTION,
+            CI_RUNNER_ID: env.CI_RUNNER_ID,
+            CI_RUNNER_TAGS: env.CI_RUNNER_TAGS,
+            CI_SERVER_HOST: env.CI_SERVER_HOST,
+            CI_SERVER_NAME: env.CI_SERVER_NAME,
+            CI_SERVER_PORT: env.CI_SERVER_PORT,
+            CI_SERVER_PROTOCOL: env.CI_SERVER_PROTOCOL,
+            CI_SERVER_REVISION: env.CI_SERVER_REVISION,
+            CI_SERVER_SHELL_SSH_HOST: env.CI_SERVER_SHELL_SSH_HOST,
+            CI_SERVER_SHELL_SSH_PORT: env.CI_SERVER_SHELL_SSH_PORT,
+            CI_SERVER_URL: env.CI_SERVER_URL,
+            CI_SERVER_VERSION: env.CI_SERVER_VERSION,
+            CI_SERVER_VERSION_MAJOR: env.CI_SERVER_VERSION_MAJOR,
+            CI_SERVER_VERSION_MINOR: env.CI_SERVER_VERSION_MINOR,
+            CI_SERVER_VERSION_PATCH: env.CI_SERVER_VERSION_PATCH,
+            CI_TEMPLATE_REGISTRY_HOST: env.CI_TEMPLATE_REGISTRY_HOST,
+            GITLAB_CI: env.GITLAB_CI,
+            GITLAB_FEATURES: env.GITLAB_FEATURES,
+            GITLAB_USER_ID: env.GITLAB_USER_ID,
+            GITLAB_USER_LOGIN: env.GITLAB_USER_LOGIN,
+            RUNNER_GENERATE_ARTIFACTS_METADATA: env.RUNNER_GENERATE_ARTIFACTS_METADATA,
+          },
+          environment: {
+            name: env.CI_RUNNER_DESCRIPTION,
+            architecture: env.CI_RUNNER_EXECUTABLE_ARCH,
+            server: env.CI_SERVER_URL,
+            project: env.CI_PROJECT_PATH,
+            job: {
+              id: env.CI_JOB_ID,
+            },
+            pipeline: {
+              id: env.CI_PIPELINE_ID,
+              ref: env.CI_CONFIG_PATH,
+            },
+          },
+        },
+        metadata: {
+          buildInvocationId: `${env.CI_JOB_URL}`,
+          completeness: {
+            parameters: true,
+            environment: true,
+            materials: false,
+          },
+          reproducible: false,
+        },
+        materials: [
+          {
+            uri: `git+${env.CI_PROJECT_URL}`,
+            digest: {
+              sha1: env.CI_COMMIT_SHA,
+            },
+          },
+        ],
+      },
+    };
+  } else {
+    throw new ReportError(
+      MessageName.INVALID_PROVENANCE_ENVIRONMENT,
+      `Provenance generation is only supported in GitHub Actions and GitLab CI`,
+    );
+  }
+  return sigstore.attest(Buffer.from(JSON.stringify(payload)), INTOTO_PAYLOAD_TYPE, opts);
+};