Function verifyAddonProvenance

Expand description

Verification.

verifyAddonProvenance(
    options: {
        repo: `${string}/${string}`;
        runInvocationURI: RunInvocationURI;
        sha256: Sha256Hex;
    } & FetchOptions & {
        maxJsonResponseBytes?: number;
        maxRekorEntries?: number;
        rekorLagBudgetMs?: number;
        rekorLagDelaysMs?: readonly number[];
        trustMaterial?: TrustMaterial;
        verifier?: BundleVerifier;
    },
): Promise<void>

Verify addon binary provenance via the Rekor transparency log. Confirms the artifact was attested in the expected workflow run and source repository.

Typically called via verifyAddon. Use directly when you already have a RunInvocationURI.

throws

ProvenanceError if no attestation matches the expected workflow run, or all entries fail verification.

throws

Error on transient failures (network timeout, Rekor unavailable) — safe to retry.

example

import {
  verifyAddonProvenance,
  sha256Hex,
  githubRepo,
  runInvocationURI,
} from "node-addon-slsa";

await verifyAddonProvenance({
  sha256: sha256Hex("a".repeat(64)),
  runInvocationURI: runInvocationURI(
    "https://github.com/owner/repo/actions/runs/123/attempts/1",
  ),
  repo: githubRepo("owner/repo"),
});

Function verifyAddonProvenanceCopy item path

Function verifyAddonProvenance