feat: expose provenance transparency url #6428
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JamesHenry
changed the title
JamesHenry
force-pushed
the
surface-provenance-transparency-url
branch
from
196ada5 to
76dc9c3
Compare
|
I think attaching the metadata to the response object is the cleanest way to get that information back to the consumer. Good choice. The non-409 retry block needs the same logic. |
wraithgar
changed the title
|
Thanks @wraithgar, applied that change |
wraithgar
reviewed
May 5, 2023
wraithgar
reviewed
May 5, 2023
Co-authored-by: Gar <[email protected]>
|
@wraithgar Thank you! |
wraithgar
approved these changes
May 5, 2023
|
No, thank you! This'll go out w/ the next cli release (currently scheduled for May 17) |
Merged
|
@JamesHenry correct me if I'm wrong but I think this change was never applied to Lerna itself, right? I assume you were waiting for an official |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I was able to add support for provenance in
lernayesterday (now available in v6.6.2) butlibnpmpublishcurrently only emits a log with the transparency log URL, it does not expose it as data for us to use.This is a particularly a problem for lerna, because we often deal with publishing many packages concurrently. These publish requests are kicked off eagerly in parallel, and so it is currently not possible to reconcile the logs to their originating package.
The presence of this URL data would allow me to easily differentiate between packages which were published with provenance and those which weren't, as well as recreate the log on the lerna side.
For now the best I can do via log interception is gather up the unique URLs and print them at the very end:
I have gone for a rather rudimentary "bolt it on the npmFetch response" approach here, but it would definitely get me what I need. Let me know if you want to rename the property or apply it within some other existing structure on the response in some way.
References