Skip to content

Commit

Permalink
Move GitLab example for npm build provenance (npm#1066)
Browse files Browse the repository at this point in the history 
<!-- What / Why -->
<!-- Describe the request in detail. What it does and why it's being
changed. -->

When reading the [npm build provenance
doc](https://docs.npmjs.com/generating-provenance-statements), I noticed
that the GitLab example was under the GitHub Actions section. This PR
just moves the GitLab example to the GitLab section of the doc instead.

## References
<!-- Examples:
  Related to #0
  Depends on #0
  Blocked by #0
  Fixes #0
  Closes #0
-->
I didn't open an issue since it's a tiny, cosmetic change.
  • Loading branch information
@SiaraMist
SiaraMist authored Apr 23, 2024
1 parent 4c631d6 commit a9b1439
Showing 1 changed file with 17 additions and 17 deletions.
34 changes: 17 additions & 17 deletions ...nt/packages-and-modules/securing-your-code/generating-provenance-statements.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -101,23 +101,6 @@ jobs:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
```

### Example GitLab CI job

This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don’t forget to define the `NPM_TOKEN` variable in your GitLab project settings.

```yaml
publish:
image: 'node:20'
rules:
- if: $CI_COMMIT_TAG
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script:
- npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
- npm publish --provenance --access public
```

### Using third-party package publishing tools

If you publish your packages with tools that do not directly invoke the `npm publish` command, you can do one of the following in your GitHub Actions workflow to publish your packages with provenance.
Expand All @@ -144,6 +127,23 @@ If you publish your packages with tools that do not directly invoke the `npm pub

In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitLab CI/CD is a supported CI/CD platform that allows you to automate software development tasks. For more information, see [Generating provenance in GitLab CI/CD][gitlab-ci-cd-docs] in the GitLab documentation.

### Example GitLab CI job

This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don’t forget to define the `NPM_TOKEN` variable in your GitLab project settings.

```yaml
publish:
image: 'node:20'
rules:
- if: $CI_COMMIT_TAG
id_tokens:
SIGSTORE_ID_TOKEN:
aud: sigstore
script:
- npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
- npm publish --provenance --access public
```

## Verifying provenance attestations

You can verify the provenance attestations of downloaded packages with the following `audit` command:
Expand Down

0 comments on commit a9b1439

Please sign in to comment.