Skip to content

Commit

Permalink
docs: update generating-provenance-statements page (#1182)
Browse files Browse the repository at this point in the history 
<!-- What / Why -->
<!-- Describe the request in detail. What it does and why it's being
changed. -->

This PR updates the "Generating provenance statements" page, updating
the GitHub action and introducing minor fixes to the page.

> [!NOTE]
> I have removed the` - run: npm install -g npm` line from the GitHub
action since `actions/setup-node` will perform the same.

## References
<!-- Examples:
  Related to #0
  Depends on #0
  Blocked by #0
  Fixes #0
  Closes #0
-->

N/A

---------

Signed-off-by: K.B.Dharun Krishna <[email protected]>
  • Loading branch information
@kbdharun
kbdharun authored Jul 3, 2024
1 parent 05efae1 commit 4f715ec
Showing 1 changed file with 7 additions and 5 deletions.
12 changes: 7 additions & 5 deletions ...nt/packages-and-modules/securing-your-code/generating-provenance-statements.mdx
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,12 +89,11 @@ jobs:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: '18.x'
node-version: '20.x'
registry-url: 'https://registry.npmjs.org'
- run: npm install -g npm
- run: npm ci
- run: npm publish --provenance --access public
env:
Expand All @@ -107,12 +106,15 @@ If you publish your packages with tools that do not directly invoke the `npm pub

- **Configure environment variables:** In your GitHub Actions workflow, you can use an environment variable called `NPM_CONFIG_PROVENANCE`, and set it to `true`.
- **Configure your `package.json` file:** You can add a `publishConfig` block to your `package.json` file:

```json
"publishConfig": {
"provenance": true
},
```

- **Add an `.npmrc` file:** You can add an `.npmrc` file to your project with the following entry:

```ini
provenance=true
```
Expand All @@ -129,7 +131,7 @@ In order to establish provenance, you must use a supported cloud CI/CD provider

### Example GitLab CI job

This example job publishes a package to the npm registry with provenance when a git tag is pushed. Dont forget to define the `NPM_TOKEN` variable in your GitLab project settings.
This example job publishes a package to the npm registry with provenance when a git tag is pushed. Don't forget to define the `NPM_TOKEN` variable in your GitLab project settings.

```yaml
publish:
Expand Down

0 comments on commit 4f715ec

Please sign in to comment.