Skip to content

Commit

Permalink
Add example for publishing with GitLab provenance (#684)
Browse files Browse the repository at this point in the history
Also code blocks in that document were tagged with their language to
provide syntax highlighting.
  • Loading branch information
remcohaszing authored Aug 8, 2023
1 parent db37a94 commit bd017c9
Showing 1 changed file with 40 additions and 23 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -49,55 +49,72 @@ To update your GitHub Actions workflow to publish your packages with provenance,

- Give permission to mint an ID-token:

```
```yaml
permissions:
id-token: write
```
- Run on a [GitHub-hosted runner](https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners#supported-runners-and-hardware-resources):
```
```yaml
runs-on: ubuntu-latest
```
- Add the `--provenance` flag to your publish command:

```
```sh
npm publish --provenance
```

- If you are publishing a package for the first time you will also need to explicitly set access to public:

```
```sh
npm publish --provenance --access public
```

### Example GitHub Actions workflow

This example workflow publishes a package to the npm registry with provenance.

```
```yaml
name: Publish Package to npmjs
on:
release:
types: [created]
release:
types: [created]
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '18.x'
registry-url: 'https://registry.npmjs.org'
- run: npm install -g npm
- run: npm ci
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
build:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '18.x'
registry-url: 'https://registry.npmjs.org'
- run: npm install -g npm
- run: npm ci
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
```

### Example GitLab CI job

This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don’t forget to define the `NPM_TOKEN` variable in your GitLab project settings.

```yaml
publish:
image: 'node:20'
rules:
- if: $CI_COMMIT_TAG
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script:
- npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
- npm publish --provenance --access publich
```

### Using third-party package publishing tools
Expand Down

0 comments on commit bd017c9

Please sign in to comment.