You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* Update provenance docs
Update provenance docs to clarify you need to use a public source
repository and add a note for the first version.
Signed-off-by: Philip Harrison <philip@mailharrison.com>
* Add note about npm cli version
Signed-off-by: Philip Harrison <philip@mailharrison.com>
---------
Signed-off-by: Philip Harrison <philip@mailharrison.com>
Copy file name to clipboardExpand all lines: content/packages-and-modules/securing-your-code/generating-provenance-statements.mdx
+9-3Lines changed: 9 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,7 +26,7 @@ The transparency log service provides a public, verifiable, tamper-evident ledge
26
26
27
27
## Provenance limitations
28
28
29
-
- In order to publish a package with provenance, you must build your package with a supported cloud CI/CD provider using a cloud-hosted runner. Today this includes GitHub Actions, and we are collaborating with additional providers to expand support. For more information on how to establish provenance using GitHub Actions, see "[Publishing packages with provenance via GitHub Actions][publishing-with-provenance]."
29
+
- In order to publish a package with provenance, you must build your package with a supported cloud CI/CD provider using a cloud-hosted runner from a public source repository. Today this includes GitHub Actions, and we are collaborating with additional providers to expand support. For more information on how to establish provenance using GitHub Actions, see "[Publishing packages with provenance via GitHub Actions][publishing-with-provenance]."
30
30
- When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not. For more information, see "[Searching for and choosing packages to download][provenance-info]."
31
31
32
32
## Prerequisites
@@ -35,9 +35,9 @@ Before you can publish your packages with provenance, you must:
35
35
36
36
- Review the [Linux Foundation Immutable Record notice](https://lfprojects.org/policies/hosted-project-tools-immutable-records/), which applies to the public transparency log.
37
37
38
-
- Install the latest version of the npm CLI. For more information, see "[Try the latest stable version of npm][update-npm]."
38
+
- Install the latest version of the npm CLI (ensure you are on `9.5.0+` as older versions don't support npm provenance). For more information, see "[Try the latest stable version of npm][update-npm]."
39
39
40
-
- Ensure your `package.json` is configured with a `repository` that matches where you are publishing with provenance from.
40
+
- Ensure your `package.json` is configured with a public `repository` that matches where you are publishing with provenance from.
41
41
42
42
- Set up a GitHub Actions workflow to publish your packages to the npm registry. For more information, see [Understanding GitHub Actions][understand-actions] in the GitHub documentation.
43
43
@@ -66,6 +66,12 @@ To update your GitHub Actions workflow to publish your packages with provenance,
66
66
npm publish --provenance
67
67
```
68
68
69
+
- If you are publishing a package for the first time you will also need to explicitly set access to public:
70
+
71
+
```
72
+
npm publish --provenance --access public
73
+
```
74
+
69
75
### Example GitHub Actions workflow
70
76
71
77
This example workflow publishes a package to the npm registry with provenance.
0 commit comments