fix: add provenance publish notice (#6247)

Signed-off-by: Brian DeHamer <[email protected]>

Author: bdehamer

DEPENDENCIES.md

@@ -64,6 +64,7 @@ graph LR;
   libnpmpublish-->npmcli-eslint-config["@npmcli/eslint-config"];
   libnpmpublish-->npmcli-mock-registry["@npmcli/mock-registry"];
   libnpmpublish-->npmcli-template-oss["@npmcli/template-oss"];
+  libnpmpublish-->proc-log;
   libnpmpublish-->semver;
   libnpmpublish-->ssri;
   libnpmsearch-->npm-registry-fetch;
@@ -408,6 +409,7 @@ graph LR;
   libnpmpublish-->npmcli-eslint-config["@npmcli/eslint-config"];
   libnpmpublish-->npmcli-mock-registry["@npmcli/mock-registry"];
   libnpmpublish-->npmcli-template-oss["@npmcli/template-oss"];
+  libnpmpublish-->proc-log;
   libnpmpublish-->semver;
   libnpmpublish-->sigstore;
   libnpmpublish-->ssri;

package-lock.json

@@ -15210,6 +15210,7 @@
         "normalize-package-data": "^5.0.0",
         "npm-package-arg": "^10.1.0",
         "npm-registry-fetch": "^14.0.3",
+        "proc-log": "^3.0.0",
         "semver": "^7.3.7",
         "sigstore": "^1.0.0",
         "ssri": "^10.0.1"

workspaces/libnpmpublish/lib/publish.js

@@ -1,13 +1,16 @@
 const { fixer } = require('normalize-package-data')
 const npmFetch = require('npm-registry-fetch')
 const npa = require('npm-package-arg')
+const log = require('proc-log')
 const semver = require('semver')
 const { URL } = require('url')
 const ssri = require('ssri')
 const ciInfo = require('ci-info')
 
 const { generateProvenance } = require('./provenance')
 
+const TLOG_BASE_URL = 'https://rekor.sigstore.dev/api/v1/log/entries'
+
 const publish = async (manifest, tarballData, opts) => {
   if (manifest.private) {
     throw Object.assign(
@@ -169,6 +172,16 @@ const buildMetadata = async (registry, manifest, tarballData, spec, opts) => {
     }
     const provenanceBundle = await generateProvenance([subject], opts)
 
+    /* eslint-disable-next-line max-len */
+    log.notice('publish', 'Signed provenance statement with source and build information from GitHub Actions')
+
+    const tlogEntry = provenanceBundle?.verificationMaterial?.tlogEntries[0]
+    /* istanbul ignore else */
+    if (tlogEntry) {
+      const logUrl = `${TLOG_BASE_URL}?logIndex=${tlogEntry.logIndex}`
+      log.notice('publish', `Provenance statement published to transparency log: ${logUrl}`)
+    }
+
     const serializedBundle = JSON.stringify(provenanceBundle)
     root._attachments[provenanceBundleName] = {
       content_type: provenanceBundle.mediaType,

workspaces/libnpmpublish/package.json

@@ -42,6 +42,7 @@
     "normalize-package-data": "^5.0.0",
     "npm-package-arg": "^10.1.0",
     "npm-registry-fetch": "^14.0.3",
+    "proc-log": "^3.0.0",
     "semver": "^7.3.7",
     "sigstore": "^1.0.0",
     "ssri": "^10.0.1"