Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update provenance docs #679

Merged
merged 2 commits into from
Jul 26, 2023
Merged

Update provenance docs #679

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
71e3c4d
Update provenance docs
feelepxyz Jul 26, 2023
eba53bf
Add note about npm cli version
feelepxyz Jul 26, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 9 additions & 3 deletions ...nt/packages-and-modules/securing-your-code/generating-provenance-statements.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ The transparency log service provides a public, verifiable, tamper-evident ledge

## Provenance limitations

- In order to publish a package with provenance, you must build your package with a supported cloud CI/CD provider using a cloud-hosted runner. Today this includes GitHub Actions, and we are collaborating with additional providers to expand support. For more information on how to establish provenance using GitHub Actions, see "[Publishing packages with provenance via GitHub Actions][publishing-with-provenance]."
- In order to publish a package with provenance, you must build your package with a supported cloud CI/CD provider using a cloud-hosted runner from a public source repository. Today this includes GitHub Actions, and we are collaborating with additional providers to expand support. For more information on how to establish provenance using GitHub Actions, see "[Publishing packages with provenance via GitHub Actions][publishing-with-provenance]."
- When a package in the npm registry has established provenance, it does not guarantee the package has no malicious code. Instead, npm provenance provides a verifiable link to the package's source code and build instructions, which developers can then audit and determine whether to trust it or not. For more information, see "[Searching for and choosing packages to download][provenance-info]."

## Prerequisites
Expand All @@ -35,9 +35,9 @@ Before you can publish your packages with provenance, you must:

- Review the [Linux Foundation Immutable Record notice](https://lfprojects.org/policies/hosted-project-tools-immutable-records/), which applies to the public transparency log.

- Install the latest version of the npm CLI. For more information, see "[Try the latest stable version of npm][update-npm]."
- Install the latest version of the npm CLI (ensure you are on `9.5.0+` as older versions don't support npm provenance). For more information, see "[Try the latest stable version of npm][update-npm]."

- Ensure your `package.json` is configured with a `repository` that matches where you are publishing with provenance from.
- Ensure your `package.json` is configured with a public `repository` that matches where you are publishing with provenance from.

- Set up a GitHub Actions workflow to publish your packages to the npm registry. For more information, see [Understanding GitHub Actions][understand-actions] in the GitHub documentation.

Expand Down Expand Up @@ -66,6 +66,12 @@ To update your GitHub Actions workflow to publish your packages with provenance,
npm publish --provenance
```

- If you are publishing a package for the first time you will also need to explicitly set access to public:

```
npm publish --provenance --access public
```

### Example GitHub Actions workflow

This example workflow publishes a package to the npm registry with provenance.
Expand Down
Loading