Supply-chain Evidence
Release SBOMs, licenses, NOTICE review, vulnerability and secret scans, digests, provenance, and attestations.
Every Fabric Harness release tag runs the Release supply-chain evidence
workflow. High or critical dependency advisories, a secret finding, a package
without Apache-2.0 metadata, an incompatible dependency license, a missing
NOTICE file, an import failure, or a digest mismatch blocks the release.
Run the same evidence generation locally:
pnpm run build
pnpm run check:supply-chainThe command writes:
| Artifact | Contents |
|---|---|
release-packages/*.tgz | Exact npm package subjects used for attestation |
release-sbom.cdx.json | CycloneDX 1.5 component inventory |
release-license-report.json | Dependency versions, licenses, and package URLs |
release-notice-review.json | Per-package NOTICE digest and attribution review |
release-secret-scan.json | Packed-package secret-pattern scan result |
release-vulnerability-report.json | Complete pnpm audit result and severity totals |
release-provenance.intoto.json | In-toto statement with SLSA v1 build predicate |
release-artifact-digests.json | SHA-256 for every package subject and evidence file |
verify-supply-chain-evidence.mjs recalculates every digest. CI also runs
Gitleaks across repository history. On release tags, GitHub's OIDC identity
signs build-provenance and SBOM attestations for the retained tarballs through
actions/attest-build-provenance and actions/attest-sbom.
Evidence artifacts are retained for 90 days in GitHub Actions. Copy them to the
organization's immutable release archive when policy requires longer
retention. npm packages also publish with publishConfig.provenance: true, so
registry consumers can verify the npm provenance statement independently.
Verify a release
Download the release evidence artifact, then run:
node scripts/verify-supply-chain-evidence.mjs
gh attestation verify artifacts/release-packages/*.tgz \
--repo Fabric-Pro/fabric-harnessThe first command verifies local SHA-256 integrity. The second verifies the keyless GitHub attestation identity and repository binding.