How easy is it to publish NPM packages with SLSA attestations?

[aaronshim]

We mention SLSA attestations as a mitigation for supply chain attacks in our library guidelines. We know that there is also external marketing of NPM compatibility with SLSA.

Anecdotally, we have run into some difficulties with publishing NPM packages with SLSA attestations when they are not built with the Github actions runner-- so for developers that want to use other trusted builders to publish to NPM may have difficulty following this suggestion.

Is this something we can discuss in a future meeting? (Perhaps our role in making sure these ecosystem solutions/technologies are actually usable in practice.) Perhaps this is something the members in the group can escalate with their colleagues to get many of these cloud providers-- and mostly NPM-- to prioritize supporting this?