Skip to content

Provenance Statements

Jump to bottom
Vadim edited this page Nov 13, 2025 · 2 revisions

Provenance statements provide verifiable information about how a package was built.
You can read more in the official NPM documentation: Generating provenance statements.

Ready-to-use workflow examples:

NPM

name: Publish to NPM
on:
  release:
    types: [published]

jobs:
  npm-publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v6
        with:
          node-version: "24"
      - run: npm ci
      - run: npm test
-     - run: npm publish --ignore-scripts
+     - run: npm publish --ignore-scripts --provenance
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

PNPM

name: Publish to NPM
on:
  release:
    types: [published]

jobs:
  npm-publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@5
      - uses: pnpm/action-setup@v4
        with:
          version: latest
          run_install: true
      - uses: actions/setup-node@6
        with:
          node-version: "24"
          cache: pnpm
      - run: pnpm run build
      - run: pnpm publish --no-git-checks
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+         NPM_CONFIG_PROVENANCE: true

Clone this wiki locally