diff --git a/content/packages-and-modules/securing-your-code/generating-provenance-statements.mdx b/content/packages-and-modules/securing-your-code/generating-provenance-statements.mdx index 88d57f67e5d..6acfd3d2c9a 100644 --- a/content/packages-and-modules/securing-your-code/generating-provenance-statements.mdx +++ b/content/packages-and-modules/securing-your-code/generating-provenance-statements.mdx @@ -101,23 +101,6 @@ jobs: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} ``` -### Example GitLab CI job - -This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don’t forget to define the `NPM_TOKEN` variable in your GitLab project settings. - -```yaml -publish: - image: 'node:20' - rules: - - if: $CI_COMMIT_TAG - id_tokens: - SIGSTORE_ID_TOKEN: - aud: sigstore - script: - - npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN" - - npm publish --provenance --access public -``` - ### Using third-party package publishing tools If you publish your packages with tools that do not directly invoke the `npm publish` command, you can do one of the following in your GitHub Actions workflow to publish your packages with provenance. @@ -144,6 +127,23 @@ If you publish your packages with tools that do not directly invoke the `npm pub In order to establish provenance, you must use a supported cloud CI/CD provider and a cloud-hosted runner to publish your packages. GitLab CI/CD is a supported CI/CD platform that allows you to automate software development tasks. For more information, see [Generating provenance in GitLab CI/CD][gitlab-ci-cd-docs] in the GitLab documentation. +### Example GitLab CI job + +This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don’t forget to define the `NPM_TOKEN` variable in your GitLab project settings. + +```yaml +publish: + image: 'node:20' + rules: + - if: $CI_COMMIT_TAG + id_tokens: + SIGSTORE_ID_TOKEN: + aud: sigstore + script: + - npm config set //registry.npmjs.org/:_authToken "$NPM_TOKEN" + - npm publish --provenance --access public +``` + ## Verifying provenance attestations You can verify the provenance attestations of downloaded packages with the following `audit` command: