Skip to content

Add documentation for trusted publishers #1674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

Add documentation for trusted publishers #1674

wants to merge 3 commits into from

Conversation

leobalter
Copy link
Contributor

This adds new documentation for trusted publishers, to be released soon.

References

Related to npm/cli#8336
Replaces #1673 (now using a branch without a fork)

@leobalter leobalter self-assigned this Jul 17, 2025
@leobalter leobalter requested a review from a team as a code owner July 17, 2025 01:04
@leobalter leobalter added the docs label Jul 17, 2025
@leobalter
Copy link
Contributor Author

I rebased the commits into a single one.

steiza
steiza approved these changes Jul 17, 2025
View reviewed changes
Copy link
Member

@steiza steiza left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great! One minor nit.

content/packages-and-modules/securing-your-code/trusted-publishers.mdx Outdated
title: Trusted publishing for npm packages
---

Trusted publishing allows you to publish npm packages directly from your CI/CD workflows using [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) authentication, eliminating the need for long-lived npm tokens. This feature implements the [Trusted Publishers standard](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) from the Open Source Security Foundation (OpenSSF), joining a growing ecosystem including [PyPI](https://docs.pypi.org/trusted-publishers/), [RubyGems](https://guides.rubygems.org/trusted-publishing/), and other major package registries in offering this security enhancement.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Trusted publishing allows you to publish npm packages directly from your CI/CD workflows using [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) authentication, eliminating the need for long-lived npm tokens. This feature implements the [Trusted Publishers standard](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) from the Open Source Security Foundation (OpenSSF), joining a growing ecosystem including [PyPI](https://docs.pypi.org/trusted-publishers/), [RubyGems](https://guides.rubygems.org/trusted-publishing/), and other major package registries in offering this security enhancement.
Trusted publishing allows you to publish npm packages directly from your CI/CD workflows using [OpenID Connect (OIDC)](https://openid.net/developers/how-connect-works/) authentication, eliminating the need for long-lived npm tokens. This feature implements the [Trusted Publishers specification](https://repos.openssf.org/trusted-publishers-for-all-package-repositories) from the Open Source Security Foundation (OpenSSF), joining a growing ecosystem including [PyPI](https://docs.pypi.org/trusted-publishers/), [RubyGems](https://guides.rubygems.org/trusted-publishing/), and other major package registries in offering this security enhancement.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: technically it's not a standard (a standard would come from a standards body, like the IETF).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about "industry standard"? This is what I've had in my brain when writing this down

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

94d08e3

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM!

@leobalter @reggi
Update content/integrations/integrating-npm-with-external-services/us…
438cabb 
…ing-private-packages-in-a-ci-cd-workflow.mdx

Co-authored-by: Reggi <reggi@github.com>
nishantms
nishantms approved these changes Jul 17, 2025
View reviewed changes
Copy link

@nishantms nishantms left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎉

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@steiza steiza steiza approved these changes

@reggi reggi reggi left review comments

@owlstronaut owlstronaut owlstronaut approved these changes

@dhei dhei dhei approved these changes

@karenjli karenjli karenjli approved these changes

@nishantms nishantms nishantms approved these changes

Assignees

@leobalter leobalter

Labels
docs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@leobalter @steiza @reggi @owlstronaut @dhei @karenjli @nishantms