chore(security): sign npm release tarball with cosign keyless#55
Merged
hesreallyhim merged 1 commit intomainfrom Apr 12, 2026
Merged
chore(security): sign npm release tarball with cosign keyless#55hesreallyhim merged 1 commit intomainfrom
hesreallyhim merged 1 commit intomainfrom
Conversation
Addresses OSSF Scorecard's Signed-Releases check (currently 0/10).
Scorecard examines the last 5 releases for cryptographic signing
evidence (.sigstore bundles, .asc, .sig, or SLSA provenance). None
of the existing releases carry any such artifacts.
Adding two additive steps to publish-npm.yml:
1. Install cosign via sigstore/cosign-installer@v3.10.1 (SHA-pinned).
2. Sign the npm tarball with cosign keyless mode (OIDC from the
existing id-token: write grant — no new secrets required). Produces
a .sigstore bundle alongside the tarball.
The existing gh-release-upload step is updated to include the
.sigstore bundle in the release assets. No changes to the npm
publish step, trusted publishing flow, or any existing step logic.
Cosign keyless signing uses GitHub's ambient OIDC token to produce
a Sigstore bundle that ties the artifact to this specific workflow
run. Consumers can verify with:
cosign verify-blob --bundle <tarball>.sigstore <tarball> \
--certificate-identity-regexp 'github.com/hesreallyhim/proton-pass-community-mcp' \
--certificate-oidc-issuer https://token.actions.githubusercontent.com
Expected score impact: 0/10 -> 10/10 on the NEXT release (scorecard
checks the last 5 releases; this change only takes effect once
publish-npm.yml runs on a new release event).
🤖 Generated with Claude Code
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Repository owner
deleted a comment from
dawidbuczkowski379-ctrl
Apr 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
publish-npm.ymlworkflow.sigstorebundle alongside the tarball on each release, uploaded to the GitHub release assetsid-token: writegrant for OIDCcosign verify-blob --bundle <tarball>.sigstore <tarball>Scorecard impact
Addresses OSSF Scorecard's Signed-Releases check (currently 0/10). Scorecard examines the last 5 releases for
.sigstore,.asc,.sig, or SLSA provenance files. Score moves to 10/10 after the next published release.Changes
sigstore/cosign-installer@v3.10.1(SHA-pinned) added as a new stepcosign sign-blob --yes --bundlesigns the npm tarball afternpm packgh release uploadupdated to include the.sigstorebundleTest plan
.sigstorebundle appears in release assetscosign verify-blobsucceeds against the downloaded bundle🤖 Generated with Claude Code