You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+16-4Lines changed: 16 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -47,18 +47,18 @@ When publishing to the [official registry](https://registry.npmjs.org/), it is r
47
47
-[Granular access tokens](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-website) are recommended when publishing from a CI provider that is not supported by npm for trusted publishing, and can be set via [environment variables](#environment-variables).
48
48
Because these access tokens expire, rotation will need to be accounted for in this scenario.
49
49
50
+
> [!NOTE]
51
+
> When using trusted publishing, provenance attestations are automatically generated for your packages without requiring provenance to be explicitly enabled.
52
+
50
53
#### Trusted publishing from GitHub Actions
51
54
52
-
To publish with OIDC from GitHub Actions, the `id-token: write` permission is required to be enabled on the job:
55
+
To leverage trusted publishing and publish with provenance from GitHub Actions, the `id-token: write` permission is required to be enabled on the job:
53
56
54
57
```yaml
55
58
permissions:
56
59
id-token: write # to enable use of OIDC for trusted publishing and npm provenance
57
60
```
58
61
59
-
> [!NOTE]
60
-
> When using trusted publishing, provenance attestations are automatically generated for your packages without requiring provenance to be explicitly enabled.
61
-
62
62
It's also worth noting that if you are using semantic-release to its fullest with a GitHub release, GitHub comments,
63
63
and other features, then [more permissions are required](https://github.com/semantic-release/github#github-authentication) to be enabled on this job:
64
64
@@ -72,6 +72,18 @@ permissions:
72
72
73
73
Refer to the [GitHub Actions recipe for npm package provenance](https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions#.github-workflows-release.yml-configuration-for-node-projects) for the full CI job's YAML code example.
74
74
75
+
#### Trusted publishing for GitLab Pipelines
76
+
77
+
To leverage trusted publishing and publish with provenance from GitLab Pipelines, `NPM_ID_TOKEN` needs to be added as an entry under `id_tokens` in the job definition with an audience of `npm:registry.npmjs.org`:
78
+
79
+
```yaml
80
+
id_tokens:
81
+
NPM_ID_TOKEN:
82
+
aud: "npm:registry.npmjs.org"
83
+
```
84
+
85
+
See the [npm documentation for more detail about configuring pipeline details](https://docs.npmjs.com/trusted-publishers#gitlab-cicd-configuration)
86
+
75
87
### Alternative Registries
76
88
77
89
The npm token authentication configuration is **required** and can be set via [environment variables](#environment-variables).
0 commit comments