FabricFabricHarness
Operating

Supply-chain Evidence

Release SBOMs, licenses, NOTICE review, vulnerability and secret scans, digests, provenance, and attestations.

Every Fabric Harness release tag runs the Release supply-chain evidence workflow. High or critical dependency advisories, a secret finding, a package without Apache-2.0 metadata, an incompatible dependency license, a missing NOTICE file, an import failure, or a digest mismatch blocks the release.

Run the same evidence generation locally:

pnpm run build
pnpm run check:supply-chain

The command writes:

ArtifactContents
release-packages/*.tgzExact npm package subjects used for attestation
release-sbom.cdx.jsonCycloneDX 1.5 component inventory
release-license-report.jsonDependency versions, licenses, and package URLs
release-notice-review.jsonPer-package NOTICE digest and attribution review
release-secret-scan.jsonPacked-package secret-pattern scan result
release-vulnerability-report.jsonComplete pnpm audit result and severity totals
release-provenance.intoto.jsonIn-toto statement with SLSA v1 build predicate
release-artifact-digests.jsonSHA-256 for every package subject and evidence file

verify-supply-chain-evidence.mjs recalculates every digest. CI also runs Gitleaks across repository history. On release tags, GitHub's OIDC identity signs build-provenance and SBOM attestations for the retained tarballs through actions/attest-build-provenance and actions/attest-sbom.

Evidence artifacts are retained for 90 days in GitHub Actions. Copy them to the organization's immutable release archive when policy requires longer retention. npm packages also publish with publishConfig.provenance: true, so registry consumers can verify the npm provenance statement independently.

Verify a release

Download the release evidence artifact, then run:

node scripts/verify-supply-chain-evidence.mjs
gh attestation verify artifacts/release-packages/*.tgz \
  --repo Fabric-Pro/fabric-harness

The first command verifies local SHA-256 integrity. The second verifies the keyless GitHub attestation identity and repository binding.

On this page