npm packages built on a cloud CI/CD system (like GitHub Actions) can now publish with provenance, meaning the package has verifiable links back to its source code and build instructions.
The cloud CI/CD system securely communicates this information by sending provenance information in a signed OIDC JWT to Sigstore's public-good servers, which returns a signing certificate that is sent to the registry along with your built package.
Here's an example of how to do a build with provenance in a GitHub Actions workflow:
name: Publish Package to npmjs on: release: types: [created] jobs: build: runs-on: ubuntu-latest permissions: contents: read id-token: write steps: - uses: actions/ checkout@v3 - uses: actions/ setup-node@v3 with: node-version: '18.x' registry-url: ' https://registry.npmjs.org ' - run: npm install -g npm - run: npm ci - run: npm publish --provenance --access public env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Once published, packages display provenance on the registry website :
Dependencies with provenance can also be verified from the command line with npm audit signatures
.
For more information, see generating provenance .