Skip to content

Add permissions configuration to workflows and enable npm provenance #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dgreif merged 3 commits into from
Oct 7, 2025
Merged

Add permissions configuration to workflows and enable npm provenance #64

dgreif merged 3 commits into from
Oct 7, 2025

Conversation

Copy link
Contributor

Copilot AI commented Oct 7, 2025
edited
Loading

This PR enhances the security posture of the repository's GitHub Actions workflows by implementing explicit permissions configuration and enabling npm package provenance attestation.

Changes

Security Improvements

All workflows now follow the principle of least privilege by explicitly declaring required permissions:

  • nodejs.yml: Added permissions: contents: read for CI builds
  • publish.yml: Added permissions: contents: read, id-token: write for automated publishing
  • release.yml: Added permissions: contents: write, id-token: write for manual releases

npm Provenance

Both publishing workflows now include the --provenance flag when publishing to npm:

# publish.yml
- run: npm whoami; npm --ignore-scripts publish --provenance

# release.yml  
- run: npm publish --provenance --access public

The id-token: write permission allows GitHub Actions to mint an OIDC token that npm uses to cryptographically sign and attest to the package's build provenance.

Benefits

  1. Enhanced Security: Explicit permissions prevent unauthorized actions by limiting workflow capabilities to only what's needed
  2. Supply Chain Transparency: Published packages will display "Built and signed on GitHub Actions" badges on npmjs.com
  3. Verifiable Builds: Consumers can cryptographically verify that packages were built from this repository using GitHub's infrastructure
  4. Best Practices Compliance: Aligns with current GitHub Actions and npm security recommendations

Published packages will now include verifiable attestations showing:

  • The source repository and commit SHA
  • The GitHub Actions workflow that built the package
  • Cryptographic signatures proving authenticity

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • accounts.google.com
    • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3623 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45352262 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,4908381743801459248,9728653737246464431,262144 --disable-features=PaintHolding --variations-seed-version (dns block)
    • Triggering command: /opt/google/chrome/chrome --user-data-dir=/tmp/karma-45352262 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl http://localhost:9876/?id=45352262 (dns block)
  • clients2.google.com
    • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3623 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45352262 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,4908381743801459248,9728653737246464431,262144 --disable-features=PaintHolding --variations-seed-version (dns block)
    • Triggering command: /opt/google/chrome/chrome --user-data-dir=/tmp/karma-45352262 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl http://localhost:9876/?id=45352262 (dns block)
  • clientservices.googleapis.com
    • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3623 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45352262 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,4908381743801459248,9728653737246464431,262144 --disable-features=PaintHolding --variations-seed-version (dns block)
    • Triggering command: /opt/google/chrome/chrome --user-data-dir=/tmp/karma-45352262 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl http://localhost:9876/?id=45352262 (dns block)
  • redirector.gvt1.com
    • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3623 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45352262 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,4908381743801459248,9728653737246464431,262144 --disable-features=PaintHolding --variations-seed-version (dns block)
    • Triggering command: /opt/google/chrome/chrome --user-data-dir=/tmp/karma-45352262 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl http://localhost:9876/?id=45352262 (dns block)
  • safebrowsingohttpgateway.googleapis.com
    • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3623 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45352262 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,4908381743801459248,9728653737246464431,262144 --disable-features=PaintHolding --variations-seed-version (dns block)
    • Triggering command: /opt/google/chrome/chrome --user-data-dir=/tmp/karma-45352262 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl http://localhost:9876/?id=45352262 (dns block)
  • www.google.com
    • Triggering command: /opt/google/chrome/chrome --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-dev-shm-usage --use-angle=swiftshader-webgl --crashpad-handler-pid=3623 --enable-crash-reporter=, --noerrdialogs --user-data-dir=/tmp/karma-45352262 --change-stack-guard-on-fork=enable --shared-files=v8_context_snapshot_data:100 --field-trial-handle=3,i,4908381743801459248,9728653737246464431,262144 --disable-features=PaintHolding --variations-seed-version (dns block)
    • Triggering command: /opt/google/chrome/chrome --user-data-dir=/tmp/karma-45352262 --enable-automation --no-default-browser-check --no-first-run --disable-default-apps --disable-popup-blocking --disable-translate --disable-REDACTED-timer-throttling --disable-renderer-REDACTEDing --disable-device-discovery-notifications --headless --disable-gpu --disable-dev-shm-usage --remote-debugging-port=9222 --noerrdialogs --ozone-platform=headless --ozone-override-screen-size=800,600 --use-angle=swiftshader-webgl http://localhost:9876/?id=45352262 (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Add basic permissions configuration for all actions workflows. For the release action, add id-token and update the npm publish command to use provenance

💬 Share your feedback on Copilot coding agent for the chance to win a $200 gift card! Click here to start the survey.

Copilot AI and others added 2 commits October 7, 2025 13:51
@dgreif
Add permissions configuration to all workflow files and provenance to…
ce32fa3 
… npm publish

Co-authored-by: dgreif <3026298+dgreif@users.noreply.github.com>
@dgreif
Add id-token permission and provenance to publish.yml workflow
0aa94b3 
Co-authored-by: dgreif <3026298+dgreif@users.noreply.github.com>
Copilot AI changed the title [WIP] Add basic permissions configuration for actions workflows Add permissions configuration to workflows and enable npm provenance Oct 7, 2025
Copilot AI requested a review from dgreif October 7, 2025 13:55
@dgreif dgreif marked this pull request as ready for review October 7, 2025 13:59
@dgreif dgreif requested a review from a team as a code owner October 7, 2025 13:59
Copilot AI review requested due to automatic review settings October 7, 2025 13:59
Copilot AI reviewed Oct 7, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances the security posture of GitHub Actions workflows by implementing explicit permissions configuration following the principle of least privilege and enabling npm package provenance attestation for supply chain transparency.

  • Added explicit permission declarations to all three workflow files to limit access rights
  • Enabled npm provenance attestation with --provenance flag for published packages
  • Configured id-token: write permissions to support OIDC token generation for cryptographic signing

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.

File Description
.github/workflows/nodejs.yml Added read-only contents permission for CI builds
.github/workflows/publish.yml Added contents read and id-token write permissions, enabled npm provenance
.github/workflows/release.yml Added contents write and id-token write permissions, enabled npm provenance

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

jibrang
jibrang reviewed Oct 7, 2025
View reviewed changes
.github/workflows/publish.yml
env:
TAG_NAME: ${{ github.event.release.tag_name }}
- run: npm whoami; npm --ignore-scripts publish
- run: npm whoami; npm --ignore-scripts publish --provenance
Copy link

@jibrang jibrang Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why do we need to use --provenance here?

Copy link
Contributor

@dgreif dgreif Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a newer feature with npm which we've turned on in most of our OSS packages. It provides hard links back to the action which built the published version, improving trust and integrity of npm packages.

Copy link

@jibrang jibrang Oct 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool! Thanks for the context!

@dgreif dgreif merged commit e735bb1 into main Oct 7, 2025
5 checks passed
@dgreif dgreif deleted the copilot/add-permissions-configuration branch October 7, 2025 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgreif dgreif dgreif approved these changes

Copilot code review Copilot Copilot left review comments

@jibrang jibrang jibrang approved these changes

Assignees

@dgreif dgreif

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dgreif @jibrang