You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/packages-and-modules/securing-your-code/trusted-publishers.mdx
+31Lines changed: 31 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -148,6 +148,37 @@ The `id_tokens` configuration tells GitLab to generate an OIDC token for npm. Le
148
148
149
149
You can modify or remove your trusted publisher configuration at any time through your package settings on [npmjs.com](https://npmjs.com). Each package can only have one trusted publisher connection at a time, but this connection can be edited or deleted as needed. To change providers (for example, switching from GitHub Actions to GitLab CI/CD), simply edit your existing configuration and select the new provider. The change takes effect immediately for future publishes. To remove trusted publishing entirely and return to token-based authentication, delete the trusted publisher configuration from your package settings.
150
150
151
+
## Recommended: Restrict token access when using trusted publishers
152
+
153
+
Once you've configured trusted publishers for your package, we strongly recommend restricting traditional token-based publishing access for enhanced security.
154
+
155
+
### How to configure maximum security
156
+
157
+
1. After enabling trusted publishers, navigate to your package's **Settings** → **Publishing access**
158
+
2. Select **"Require two-factor authentication and disallow tokens"**
159
+
3. Save your changes
160
+
161
+
This configuration:
162
+
- **Allows** publishing through trusted publishers (OIDC)
163
+
- **Blocks** all personal access tokens and automation tokens
164
+
- **Reduces** the risk of unauthorized publishing
165
+
- **Maintains** your automated CI/CD workflows through GitHub Actions or GitLab.
166
+
167
+
### Why this matters
168
+
169
+
Trusted publishers use short-lived, scoped credentials that are generated on-demand during your CI/CD workflow, eliminating the need for long-lived tokens. By restricting traditional token access while using trusted publishers, you reduce potential security risks associated with credential management.
170
+
171
+
**Note:** The "disallow tokens" setting only affects traditional token authentication. Your trusted publishers will continue to work normally, as they use OIDC tokens.
172
+
173
+
### Migration tip
174
+
175
+
If you're transitioning from token-based publishing:
176
+
1. Set up trusted publishers first and verify they work
177
+
2. Then restrict token access as described above
178
+
3. Revoke any existing automation tokens that are no longer needed
179
+
180
+
This ensures a smooth transition without disrupting your release process.
181
+
151
182
## Automatic provenance generation
152
183
153
184
When you publish using trusted publishing, npm automatically generates and publishes [provenance attestations](./generating-provenance-statements) for your package. This happens by default—you don't need to add the `--provenance` flag to your publish command.
0 commit comments