Skip to content

npm provenance blocked: package.json repository points to GitLab (identity decision) #79

Description

@hyperpolymath

Surfaced during the estate provenance rollout. bindings/rescript/package.json has:

"repository": { "url": "https://gitlab.com/campaign-for-cooler-coding-and-programming/bunsenite.git" }
"version": "1.0.0"   (Cargo is at 1.0.2 — binding is stale)

npm --provenance from a GitHub Action requires the repository to match the building repo (github.com/hyperpolymath/bunsenite), so npm provenance was skipped here (it would fail verification). Cargo .crate provenance was added (#78).

Decision needed: is bunsenite GitHub-primary or GitLab-primary?

  • GitHub-primary → point repository at GitHub + sync the npm version to 1.0.2, then npm --provenance works.
  • GitLab-primary → npm provenance must be minted by GitLab CI, not GitHub; leave as-is and document it.

This is an identity call, not a mechanical fix — flagging rather than guessing where the package canonically lives.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions