From e4219244ad1c8109d2663f0b5c912319dbab2676 Mon Sep 17 00:00:00 2001
From: Remco Haszing <remcohaszing@gmail.com>
Date: Thu, 4 Dec 2025 14:27:51 +0100
Subject: [PATCH] Add provenance to GitLab OIDC example

The GitLab OIDC example was missing the `SIGSTORE_ID_TOKEN`, which is
needed for publishing provenance, also with OIDC.

Closes https://github.com/npm/cli/issues/8558
---
 .../securing-your-code/trusted-publishers.mdx                   | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx
index 57847d844e6..a1a67abb54b 100644
--- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx
+++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx
@@ -131,6 +131,8 @@ publish:
   id_tokens:
     NPM_ID_TOKEN:
       aud: "npm:registry.npmjs.org"
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
   script:
     # Ensure npm 11.5.1 or later is installed
     - npm install -g npm@latest