Introducing npm package provenance

GitHub has introduced a feature allowing npm projects built on GitHub Actions to publish provenance data using the --provenance flag, enhancing trust in the npm supply chain. This provenance data provides a verifiable link between a package and its source repository, detailing the specific build instructions used. By leveraging the Supply-chain Levels for Software Artifacts (SLSA) specification, the provenance schema captures essential information about the source repository, commit SHA, and buildConfig, ensuring transparency and traceability. To further bolster security, GitHub employs the Sigstore project for cryptographic signing, using a public certificate authority to issue short-lived signing certificates linked to the CI job's identity. This approach aims to prevent malicious code injection by anchoring trust in the source code and build process rather than relying on individual maintainers. The provenance feature is currently supported by GitHub Actions, with plans to expand to other CI/CD platforms, and it integrates with Sigstore's Rekor service for tamper-evident transparency. Additionally, GitHub is working on further improvements, such as adopting version 1.0 of the SLSA specification and collaborating with other cloud CI/CD providers, as part of a broader initiative to secure the open-source software supply chain.