-
Notifications
You must be signed in to change notification settings - Fork 0
Provenance Statements
Vadim edited this page Feb 12, 2026
·
3 revisions
Provenance statements provide verifiable information about how a package was built.
You can read more in the official NPM documentation: Generating provenance statements.
name: Publish to NPM
on:
release:
types: [published]
jobs:
npm-publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v6
with:
node-version: "24"
- run: npm ci
- run: npm test
- run: npm publish --ignore-scripts
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+ NPM_CONFIG_PROVENANCE: truename: Publish to NPM
on:
release:
types: [published]
jobs:
npm-publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@5
- uses: pnpm/action-setup@v4
with:
version: latest
run_install: true
- uses: actions/setup-node@6
with:
node-version: "24"
cache: pnpm
- run: pnpm run build
- run: pnpm publish --no-git-checks
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+ NPM_CONFIG_PROVENANCE: true