Skip to content

Make build and release workflows public #10

Description

@glypse

This is more of a best-practice than anything, but for transparency sake, I think it'd be good to have the packages build and released via a transparent, verified by NPM process (like GitHub workflows) (see Securing your code: Generating provenance statements) so that the user knows the package they're installing hasn't been tinkered with.

Ideally, same thing would go for the website being transparently built and published.

None of these are big deals but I think they're best practices for security, especially with the surge of recent supply-chain attacks coming from insecure package building/release processes.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions