feat(provenance): only enable provenance for the official registry

at least until there is a known why to use provenance with alternative registries

Author: travi

src/project-type/publishable/badges.js

@@ -1,15 +1,15 @@
-function buildNpmBadgeImageUrl(packageName, registry) {
-  const params = new URLSearchParams({logo: 'npm', ...registry && {registry_uri: registry}});
+function buildNpmBadgeImageUrl(packageName, customRegistry) {
+  const params = new URLSearchParams({logo: 'npm', ...customRegistry && {registry_uri: customRegistry}});
 
   return `https://img.shields.io/npm/v/${packageName}?${params}`;
 }
 
-export default function scaffoldPublishableBadges(packageName, accessLevel, registry) {
+export default function scaffoldPublishableBadges({packageName, accessLevel, customRegistry}) {
   return {
     consumer: {
       ...'public' === accessLevel && {
         npm: {
-          img: buildNpmBadgeImageUrl(packageName, registry),
+          img: buildNpmBadgeImageUrl(packageName, customRegistry),
           text: 'npm',
           link: `https://www.npmjs.com/package/${packageName}`
         }

src/project-type/publishable/badges.test.js

@@ -16,14 +16,14 @@ describe('badges for publishable project types', async () => {
   });
 
   it('should return the npm badge for packages with a public access level', () => {
-    expect(defineBadges(packageName, 'public').consumer).toEqual({npm: npmBadgeDetails});
+    expect(defineBadges({packageName, accessLevel: 'public'}).consumer).toEqual({npm: npmBadgeDetails});
   });
 
   it('should include the registry_uri in the npm badge when a custom registry is provided', () => {
-    const registry = any.url();
+    const customRegistry = any.url();
 
-    const {searchParams} = new URL(defineBadges(packageName, 'public', registry).consumer.npm.img);
+    const {searchParams} = new URL(defineBadges({packageName, accessLevel: 'public', customRegistry}).consumer.npm.img);
 
-    expect(searchParams.get('registry_uri')).toEqual(registry);
+    expect(searchParams.get('registry_uri')).toEqual(customRegistry);
   });
 });

src/project-type/publishable/lifter.js

@@ -8,17 +8,17 @@ import {lift as liftProvenance} from './provenance/index.js';
 export default async function liftPublishable({projectRoot, packageDetails, configs}) {
   const {name: packageName, publishConfig: {access: packageAccessLevel}} = packageDetails;
   const homepage = `https://npm.im/${packageName}`;
-  const registry = resolveRegistry(packageName, configs.registries);
+  const customRegistry = resolveRegistry(packageName, configs.registries);
 
   await mergeIntoExistingPackageJson({projectRoot, config: {homepage}});
 
   return deepmerge(
-    await liftProvenance({packageDetails, projectRoot}),
+    await liftProvenance({packageDetails, projectRoot, customRegistry}),
     {
       homepage,
       dependencies: {javascript: {development: ['publint']}},
       scripts: {'lint:publish': 'publint --strict'},
-      badges: defineBadges(packageName, packageAccessLevel, registry)
+      badges: defineBadges({packageName, accessLevel: packageAccessLevel, customRegistry})
     }
   );
 }

src/project-type/publishable/lifter.test.js

@@ -22,15 +22,17 @@ describe('publishable project-type lifter', () => {
     const packageName = any.word();
     const packageAccessLevel = any.word();
     const registries = any.simpleObject();
-    const registry = any.url();
+    const customRegistry = any.url();
     const packageDetails = {...any.simpleObject(), name: packageName, publishConfig: {access: packageAccessLevel}};
     const provenanceResults = any.simpleObject();
     const mergedResults = any.simpleObject();
     const badgesResults = any.simpleObject();
     const homepage = `https://npm.im/${packageName}`;
-    when(resolveRegistry).calledWith(packageName, registries).thenReturn(registry);
-    when(liftProvenance).calledWith({packageDetails, projectRoot}).thenResolve(provenanceResults);
-    when(defineBadges).calledWith(packageName, packageAccessLevel, registry).thenReturn(badgesResults);
+    when(resolveRegistry).calledWith(packageName, registries).thenReturn(customRegistry);
+    when(liftProvenance).calledWith({packageDetails, projectRoot, customRegistry}).thenResolve(provenanceResults);
+    when(defineBadges)
+      .calledWith({packageName, accessLevel: packageAccessLevel, customRegistry})
+      .thenReturn(badgesResults);
     when(deepmerge).calledWith(
       provenanceResults,
       {

src/project-type/publishable/provenance/lifter.js

@@ -2,10 +2,10 @@ import {mergeIntoExistingPackageJson} from '@form8ion/javascript-core';
 
 import enhanceSlsa from './slsa.js';
 
-export default async function liftProvenance({projectRoot, packageDetails}) {
+export default async function liftProvenance({projectRoot, packageDetails, customRegistry}) {
   const {publishConfig: {access} = {}} = packageDetails;
 
-  if ('public' === access) {
+  if ('public' === access && !customRegistry) {
     await mergeIntoExistingPackageJson({projectRoot, config: {publishConfig: {provenance: true}}});
 
     return enhanceSlsa({provenance: true});

src/project-type/publishable/provenance/lifter.test.js

@@ -29,6 +29,15 @@ describe('provenance lifter', () => {
     });
   });
 
+  it('should not configure provenance for a public package published to an alternative registry', async () => {
+    const packageDetails = {...any.simpleObject(), publishConfig: {access: 'public'}};
+    const customRegistry = any.url();
+
+    expect(await lift({packageDetails, projectRoot, customRegistry})).toEqual({});
+    expect(enhanceSlsa).not.toHaveBeenCalled();
+    expect(mergeIntoExistingPackageJson).not.toHaveBeenCalled();
+  });
+
   it('should not configure provenance for a restricted package', async () => {
     const packageDetails = {...any.simpleObject(), publishConfig: {access: 'restricted'}};
 

test/integration/features/lift/provenance.feature

@@ -20,13 +20,12 @@ Feature: Package Provenance
     And provenance is enabled for publishing
     Then the SLSA badge is added to the status group
 
-  @wip
   Scenario: Public Package on registry that does not support provenance
     Given an "npm" lockfile exists
     And the project is of type "Publishable"
     And the package is published publicly
     And the package is published without provenance
-    And the package is published to an alternative registry
+    And an alternative registry is defined for publishing
     And husky v5 is installed
     When the scaffolder results are processed
     And provenance is not enabled for publishing

test/integration/features/step_definitions/publishable-steps.js

@@ -16,7 +16,7 @@ Given('the package is published with provenance', async function () {
 });
 
 Given('the package is published without provenance', async function () {
-  this.publishConfig.provenance = null;
+  delete this.publishConfig.provenance;
 });
 
 Then('publint is configured', async function () {