Document npm truster publishers

jtpio · jtpio · commit ac6491c9ce0a · 2025-10-14T13:45:06.000+02:00
diff --git a/docs/source/get_started/making_release_from_releaser.md b/docs/source/get_started/making_release_from_releaser.md
@@ -49,9 +49,38 @@ already uses Jupyter Releaser.
 
 </details>
 
-- If the repo generates npm release(s), add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` in "Secrets".
+- If the repo generates npm release(s), set up npm:
 
-> If you want to set _provenance_ on your package, you need to ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)).
+<details><summary>Using npm Trusted Publishers (recommended)</summary>
+
+- npm Trusted Publishers is supported with npm >= 11.5.1
+- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements))
+- Set up the Node.js version in your workflow using one of these approaches:
+
+  Using the `base-setup` action from `jupyterlab/maintainer-tools`:
+  ```yaml
+  - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+    with:
+      node_version: "24"
+  ```
+
+  Or using the standard `setup-node` action:
+  ```yaml
+  - uses: actions/setup-node@v6
+    with:
+      node-version: "24"
+  ```
+
+- With Trusted Publishers enabled, npm packages will be published without needing to store an `NPM_TOKEN` secret
+
+</details>
+
+<details><summary>Using NPM_TOKEN (legacy way)</summary>
+
+- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` in "Secrets"
+- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions))
+
+</details>
 
 ## Prep Release
 
diff --git a/docs/source/how_to_guides/convert_repo_from_releaser.md b/docs/source/how_to_guides/convert_repo_from_releaser.md
@@ -10,7 +10,7 @@ See checklist below for details:
 - Bump version configuration (if using Python), for example [tbump](https://github.com/dmerejkowsky/tbump)
 - [Access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with access to target GitHub repo to run GitHub Actions.
 - Access token for the [PyPI registry](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github)
-- If needed, access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens).
+- If publishing to npm, we recommend using [npm Trusted Publishers](https://docs.npmjs.com/trusted-publishers) (requires npm >= 11.5.1, available via Node.js >= 24). Otherwise, create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens).
 
 ## Checklist for Adoption
 
@@ -19,9 +19,9 @@ A. Prep the `jupyter_releaser` fork:
 - [ ] Clone this repository onto your GitHub user account.
 
 - [ ] Add a GitHub [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/creating-a-personal-access-token) with access to target GitHub repo to run
-  GitHub Actions, saved as `ADMIN_GITHUB_TOKEN` in the
-  [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository).
-  The token will need "public_repo", and "repo:status" permissions.
+      GitHub Actions, saved as `ADMIN_GITHUB_TOKEN` in the
+      [repository secrets](https://docs.github.com/en/actions/reference/encrypted-secrets#creating-encrypted-secrets-for-a-repository).
+      The token will need "public_repo", and "repo:status" permissions.
 
 - [ ] Set up PyPI:
 
@@ -54,9 +54,40 @@ A. Prep the `jupyter_releaser` fork:
 
 </details>
 
-- [ ] If needed, add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`.
+- [ ] Set up npm (if publishing to npm):
 
-> If you want to set _provenance_ on your package, you need to ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)).
+<details><summary>Using npm Trusted Publishers (recommended)</summary>
+
+- npm Trusted Publishers is supported with npm >= 11.5.1
+- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements))
+- Set up the Node.js version in your workflow using one of these approaches:
+
+  Using the `base-setup` action from `jupyterlab/maintainer-tools`:
+
+  ```yaml
+  - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+    with:
+      node_version: "24"
+  ```
+
+  Or using the standard `setup-node` action:
+
+  ```yaml
+  - uses: actions/setup-node@v4
+    with:
+      node-version: "24"
+  ```
+
+- With Trusted Publishers enabled, npm packages will be published with provenance automatically, without needing to store an `NPM_TOKEN` secret
+
+</details>
+
+<details><summary>Using NPM_TOKEN (legacy way)</summary>
+
+- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`
+- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions))
+
+</details>
 
 B. Prep target repository:
 
@@ -66,7 +97,7 @@ B. Prep target repository:
   - Note that [directives](https://myst-parser.readthedocs.io/en/latest/using/syntax.html#syntax-directives) can still be used
 - [ ] Add HTML start and end comment markers to Changelog file - see example in [CHANGELOG.md](https://github.com/jupyter-server/jupyter_releaser/blob/main/CHANGELOG.md) (view in raw mode)
 - [ ] We recommend using [hatch](https://hatch.pypa.io/latest/) for your
-  build system and for version handling.
+      build system and for version handling.
   - If previously providing `version_info` like `version_info = (1, 7, 0, '.dev', '0')`, use a pattern like the one below in your version file:
 
 ```python
@@ -111,7 +142,7 @@ version_info = tuple(parts)
 ```
 
 - [ ] Add a workflow that uses the [`enforce-label`](https://github.com/jupyterlab/maintainer-tools#enforce-labels) action from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to
-  categorize the changelog.
+      categorize the changelog.
 
 - [ ] Update or add `RELEASE.md` that describes the onboarding and release process, e.g. [jupyter_server](https://github.com/jupyter-server/jupyter_server/blob/main/RELEASE.md).
 
diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md
@@ -9,7 +9,7 @@ See checklist below for details:
 - Markdown changelog
 - Bump version configuration (if using Python), for example [hatch](https://hatch.pypa.io/latest/)
 - [Add a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/) to your PyPI project
-- If needed, access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens).
+- If publishing to npm, we recommend using [npm Trusted Publishers](https://docs.npmjs.com/trusted-publishers) (requires npm >= 11.5.1, available via Node.js >= 24). Otherwise, create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens).
 
 ## Checklist for Adoption
 
@@ -25,7 +25,7 @@ See checklist below for details:
   - Store the `APP_ID` and the private key in a secure location (Jupyter Vault if using a Jupyter Org)
 
 - [ ] Create a "release" [environment](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment) on your repository and add an `APP_ID` Environment Variable and `APP_PRIVATE_KEY` secret.
-  The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags).
+      The environment should be enabled for ["Protected branches only"](https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#deployment-branches-and-tags).
 
 - [ ] Configure [Rulesets](https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) for the repository
 
@@ -38,7 +38,7 @@ See checklist below for details:
     - Allow the GitHub App to bypass protections
 
 - [ ] Copy `prep-release.yml` and `publish-release.yml` (or only `full-release.yml`) from the
-  [example-workflows](https://github.com/jupyter-server/jupyter_releaser/tree/main/example-workflows) folder in this repository.
+      [example-workflows](https://github.com/jupyter-server/jupyter_releaser/tree/main/example-workflows) folder in this repository.
 
 - [ ] Set up PyPI:
 
@@ -47,8 +47,41 @@ See checklist below for details:
       _environment_ should be `release` (the name of the GitHub environment).
   - Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/))
 
-- [ ] If needed, add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`. Again this should
-  be created using a machine account that only has publish access.
+- [ ] Set up npm (if publishing to npm):
+
+<details><summary>Using npm Trusted Publishers (recommended)</summary>
+
+- npm Trusted Publishers is supported with npm >= 11.5.1
+- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements))
+- Set up the Node.js version in your workflow using one of these approaches:
+
+  Using the `base-setup` action from `jupyterlab/maintainer-tools`:
+
+  ```yaml
+  - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+    with:
+      node_version: "24"
+  ```
+
+  Or using the standard `setup-node` action:
+
+  ```yaml
+  - uses: actions/setup-node@v4
+    with:
+      node-version: "24"
+  ```
+
+- With Trusted Publishers enabled, npm packages will be published with provenance automatically, without needing to store an `NPM_TOKEN` secret
+
+</details>
+
+<details><summary>Using NPM_TOKEN (legacy way)</summary>
+
+- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`
+- This should be created using a machine account that only has publish access
+- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions))
+
+</details>
 
 - [ ] Ensure that only trusted users with 2FA have admin access to the repository, since they will be able to trigger releases.
 
@@ -71,7 +104,7 @@ See checklist below for details:
 ```
 
 - [ ] We recommend using [hatch](https://hatch.pypa.io/latest/) for your
-  build system and for version handling.
+      build system and for version handling.
   - If previously providing `version_info` like `version_info = (1, 7, 0, '.dev', '0')`,
     use a pattern like the one below in your version file:
 
@@ -119,7 +152,7 @@ version_info = tuple(parts)
 ```
 
 - [ ] Add a workflow that uses the [`enforce-label`](https://github.com/jupyterlab/maintainer-tools#enforce-labels) action
-  from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to categorize the changelog.
+      from `jupyterlab/maintainer-tools` to ensure that all PRs have on of the triage labels used to categorize the changelog.
 
 ```yaml
 name: Enforce PR label
@@ -149,7 +182,7 @@ jobs:
 - [ ] Try out the `Prep Release` and `Publish Release` process against a fork of the target repo first so you don't accidentally push tags and GitHub releases to the source repository. Set the `TWINE_REPOSITORY_URL` environment variable to `https://test.pypi.org/legacy/` in the "Finalize Release" action part of the workflow
 
 - [ ] Try the `Publish Release` process using a prerelease version on the main
-  repository before publishing a final version.
+      repository before publishing a final version.
 
 ## Backport Branches
 
diff --git a/docs/source/reference/theory.md b/docs/source/reference/theory.md
@@ -17,7 +17,7 @@ This project should help maintainers reduce toil and save time in the release pr
 
 We strive to use the most secure release practices possible, reflected in the `Checklist for Adoption`
 and the example workflows.
-This includes using PyPI Trusted Publishing, using GitHub Environments, encouraging the use of Rulesets and GitHub Apps with limited bypass capability, and provenance data for npm.
+This includes using PyPI Trusted Publishing, npm Trusted Publishers (with npm >= 11.5.1), using GitHub Environments, encouraging the use of Rulesets and GitHub Apps with limited bypass capability, and provenance data for npm.
 In addition, there is an automatic check for whether the user who triggered the action is an admin.
 
 ## Action Details
