fix: Support npm v2 format

verifiers/internal/gha/provenance_test.go

@@ -305,6 +305,23 @@ func Test_verifySourceURI(t *testing.T) {
 			expectedSourceURI: "https://github.com/some/repo",
 			err:               serrors.ErrorInvalidDssePayload,
 		},
+		{
+			name:              "match source no git no material ref (npm) v2 buildType",
+			provBuildType:     common.NpmCLIBuildTypeV2,
+			provTriggerURI:    "git+https://github.com/some/repo@v1.2.3",
+			provMaterialsURI:  "git+https://github.com/some/repo",
+			expectedSourceURI: "https://github.com/some/repo",
+			// NOTE: Unlike for v1, we expect the URIs in material and trigger to match.
+			err: serrors.ErrorMalformedURI,
+		},
+		{
+			name:              "mismatch source material ref (npm) v2 builtType",
+			provBuildType:     common.NpmCLIBuildTypeV2,
+			provTriggerURI:    "git+https://github.com/some/repo@v1.2.3",
+			provMaterialsURI:  "git+https://github.com/some/repo@v1.2.4",
+			expectedSourceURI: "https://github.com/some/repo",
+			err:               serrors.ErrorInvalidDssePayload,
+		},
 		{
 			name:              "match source no git no material ref (byob)",
 			provBuildType:     common.BYOBBuildTypeV0,

verifiers/internal/gha/slsaprovenance/common/buildtypes.go

@@ -18,6 +18,9 @@ var (
 
 	// NpmCLIBuildTypeV1 is the buildType for provenance generated by the npm cli.
 	NpmCLIBuildTypeV1 = "https://github.com/npm/cli/gha@v1"
+
+	// NpmCLIBuildTypeV2 is the buildType for provenance generated by the npm cli.
+	NpmCLIBuildTypeV2 = "https://github.com/npm/cli/gha/v2"
 )
 
 // Legacy buildTypes.

verifiers/internal/gha/slsaprovenance/v0.2/provenance.go

@@ -40,8 +40,15 @@ var buildTypeMap = map[string]map[string]provFunc{
 	common.GenericGeneratorBuilderID:   {common.GenericGeneratorBuildTypeV1: newLegacyBuilderProvenance},
 	common.ContainerGeneratorBuilderID: {common.ContainerGeneratorBuildTypeV1: newLegacyBuilderProvenance},
 
-	common.NpmCLILegacyBuilderID: {common.NpmCLIBuildTypeV1: newLegacyBuilderProvenance},
-	common.NpmCLIHostedBuilderID: {common.NpmCLIBuildTypeV1: newLegacyBuilderProvenance},
+	common.NpmCLILegacyBuilderID: {
+		common.NpmCLIBuildTypeV1: newLegacyBuilderProvenance,
+		common.NpmCLIBuildTypeV2: newLegacyBuilderProvenance,
+	},
+
+	common.NpmCLIHostedBuilderID: {
+		common.NpmCLIBuildTypeV1: newLegacyBuilderProvenance,
+		common.NpmCLIBuildTypeV2: newLegacyBuilderProvenance,
+	},
 	// NOTE: we don't support Npm CLI on self-hosted.
 }
 

verifiers/internal/gha/verifier.go

@@ -71,7 +71,6 @@ func verifyEnvAndCert(env *dsse.Envelope,
 	// There is a corner-case to handle: if the verified builder ID from the cert
 	// is a delegator builder, the user MUST provide an expected builder ID
 	// and we MUST match it against the content of the provenance.
-
 	if err := VerifyProvenance(env, provenanceOpts, verifiedBuilderID, byob, builderOpts.ExpectedID); err != nil {
 		return nil, nil, err
 	}
@@ -259,7 +258,6 @@ func (v *GHAVerifier) VerifyImage(ctx context.Context,
 		RekorPubKeys:      trustedRoot.RekorPubKeys,
 		CTLogPubKeys:      trustedRoot.CTPubKeys,
 	}
-
 	atts, _, err := container.RunCosignImageVerification(ctx,
 		artifactImage, opts)
 	if err != nil {

verifiers/verifier.go

@@ -44,7 +44,6 @@ func VerifyImage(ctx context.Context, artifactImage string,
 	if err != nil {
 		return nil, nil, err
 	}
-
 	return verifier.VerifyImage(ctx, provenance, artifactImage, provenanceOpts, builderOpts)
 }