Add GAR section to JS global config docs (#3299)

s-stumbo · web-flow · commit 39e3ea1e9e2d · 2026-05-08T13:59:12.000-04:00
[ ] Check if this is a typo or other quick fix and ignore the rest :) ## Type of change Update to JS global config docs ### What should this PR do? Add guidance for setting up GAR as a repo manager ### Why are we making this change? Customer reported issue. Thread here: https://chainguard-dev.slack.com/archives/C085187D8RE/p1777996617471599 ### What are the acceptance criteria? Content should be clear and accurate ### How should this PR be tested? View deploy preview --------- Signed-off-by: s-stumbo <sally.stumbo@chainguard.dev> Signed-off-by: s-stumbo <100295939+s-stumbo@users.noreply.github.com>
diff --git a/content/chainguard/libraries/javascript/global-configuration.md b/content/chainguard/libraries/javascript/global-configuration.md
@@ -181,6 +181,8 @@ repository:
    with chainctl](/chainguard/libraries/access/).
 1. Click **Create Remote Repository**.
 
+
+
 Create a virtual repository, or add the remote repository to an existing
 virtual repository used for npm packages. A virtual repository may also include private npm packages or 
 additional upstream sources, depending on your configuration.
@@ -225,7 +227,7 @@ To prevent this:
 
 After creating and configuring the `javascript-chainguard` remote repository, validate that Artifactory is successfully proxying through to Chainguard before proceeding. Because Artifactory falls back to the upstream npm registry when a connection to a remote repository fails, a misconfigured repository may silently resolve packages from npm rather than Chainguard — and the build will succeed without any visible error.
 
-Common sources of misconfiguration include invalid or expired credentials, an incorrect or incomplete URL, and mosconfigured [settings in the Advanced tab](#advanced-settings-for-redirect-handling). The Artifactory **Test** button on the repository configuration screen is not a reliable indicator; it may fail for a correctly configured repository, and may pass for an incorrectly configured one. Instead, use the following steps to verify that fetching an artifact through Artifactory produces the same checksum as fetching it directly from `libraries.cgr.dev`.
+Common sources of misconfiguration include invalid or expired credentials, an incorrect or incomplete URL, and misconfigured [settings in the Advanced tab](#advanced-settings-for-redirect-handling). The Artifactory **Test** button on the repository configuration screen is not a reliable indicator; it may fail for a correctly configured repository, and may pass for an incorrectly configured one. Instead, use the following steps to verify that fetching an artifact through Artifactory produces the same checksum as fetching it directly from `libraries.cgr.dev`.
 
 1. Fetch the artifact directly from Chainguard and compute its checksum, using the same credentials you configured in Artifactory. This example uses `picocolors-1.1.1`. You can substitute any artifact you know to be available.
 
@@ -360,3 +362,11 @@ Use the URL of the repository group, such as
 configuration](/chainguard/libraries/javascript/build-configuration/) and build a
 first test project. In a working setup the `javascript-chainguard` proxy
 repository contains all libraries retrieved from Chainguard.
+
+## Google Artifact Registry
+
+Google Artifact Registry (GAR) is not an officially supported repository manager for Chainguard Libraries for JavaScript. However, it has been shown to work with the following configuration.
+
+Configure two GAR remote repositories, with upstream validation disabled on the second:
+* First remote repository: `javascript-chainguard` pointing to `https://libraries.cgr.dev/javascript` with upstream validation enabled
+* Second remote repository: `javascript-chainguard-upstream` pointing to `https://libraries.cgr.dev/javascript-upstream` with upstream validation disabled.
