The trust story. Without this, nothing else matters.
Scope
- GitHub Actions workflow:
- Pinned action versions (SHA, not tag)
- OIDC publish to npm (no
NPM_TOKEN)
npm publish --provenance for attestations- Job that fails CI if any dep in the resolved tree declares
postinstall / preinstall / prepare
- Lockfile diff guard: PR fails if
package-lock.json changes without a CHANGES.md entry mentioning the change
.npmrc ships with ignore-scripts=true enabled
- SBOM (CycloneDX) generated on release, attached as a release asset.
- Standalone binary build via Node's single-executable application (SEA), one per supported platform; signed (codesign on macOS, sigstore cosign elsewhere); attached as release assets with checksums.
- "Verifying a release" section in README with the exact commands to verify provenance, SBOM, and binary signatures.
Acceptance criteria
- A release on GitHub produces: signed npm publish with provenance attestation, SBOM, signed binaries, checksums file.
- Install-scripts check correctly fails on a fixture PR that adds a dep with a
postinstall script.
- Provenance attestation is verifiable from a fresh clone with documented commands.
Deps
Touches everything; do last.
The trust story. Without this, nothing else matters.
Scope
NPM_TOKEN)npm publish --provenancefor attestationspostinstall/preinstall/preparepackage-lock.jsonchanges without aCHANGES.mdentry mentioning the change.npmrcships withignore-scripts=trueenabledAcceptance criteria
postinstallscript.Deps
Touches everything; do last.