Skip to content

Commit b8fe40f

Browse files
Michael Smithdhei
andauthored
docs: adds circleci documentation (#1873)
This pull request updates the npm documentation to add support for CircleCI as a trusted publisher, alongside GitHub Actions and GitLab CI/CD. It provides instructions and configuration details for setting up trusted publishing with CircleCI, clarifies the provenance generation limitations for CircleCI, and updates troubleshooting and reference sections accordingly. --------- Co-authored-by: Di Hei <dhei@github.com>
1 parent 3049fb7 commit b8fe40f

5 files changed

Lines changed: 66 additions & 6 deletions

File tree

content/nav.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1788,8 +1788,7 @@
17881788
description: Manage your authentication tokens
17891789
- title: npm trust
17901790
url: /cli/v11/commands/npm-trust
1791-
description: Manage trusted publishing relationships between packages and CI/CD
1792-
providers
1791+
description: Manage trusted publishing relationships between packages and CI/CD providers
17931792
- title: npm undeprecate
17941793
url: /cli/v11/commands/npm-undeprecate
17951794
description: Undeprecate a version of a package

content/packages-and-modules/contributing-packages-to-the-registry/creating-and-publishing-unscoped-public-packages.mdx

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -83,7 +83,7 @@ For more information, see the npm documentation on [requiring 2FA for package pu
8383

8484
<Note>
8585

86-
**Note:** If you use GitHub Actions or GitLab CI/CD to publish your packages, consider using [trusted publishing](/trusted-publishers) for enhanced security. Trusted publishing automatically generates provenance information and eliminates the need for access tokens in your CI/CD workflows. For more information, see "[Generating provenance statements][provenance-how-to]."
86+
**Note:** If you use GitHub Actions, GitLab CI/CD, or CircleCI to publish your packages, consider using [trusted publishing](/trusted-publishers) for enhanced security. Trusted publishing eliminates the need for access tokens in your CI/CD workflows. For GitHub Actions and GitLab CI/CD, it also automatically generates provenance information. For more information, see "[Generating provenance statements][provenance-how-to]."
8787

8888
</Note>
8989

content/packages-and-modules/securing-your-code/trusted-publishers.mdx

Lines changed: 64 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -22,14 +22,15 @@ Trusted publishing currently supports:
2222

2323
- [GitHub Actions](https://github.com/features/actions) (GitHub-hosted runners)
2424
- [GitLab CI/CD Pipelines](https://docs.gitlab.com/ci/pipelines/) (GitLab.com shared runners)
25+
- [CircleCI](https://circleci.com/) (CircleCI cloud)
2526

2627
Self-hosted runners are not currently supported but are planned for future releases.
2728

2829
## Configuring trusted publishing
2930

3031
### Step 1: Add a trusted publisher on npmjs.com
3132

32-
Navigate to your package settings on [npmjs.com](https://www.npmjs.com) and find the "**Trusted Publisher**" section. Under "**Select your publisher**", choose your CI/CD provider by clicking either the GitHub Actions or GitLab CI/CD button.
33+
Navigate to your package settings on [npmjs.com](https://www.npmjs.com) and find the "**Trusted Publisher**" section. Under "**Select your publisher**", choose your CI/CD provider by clicking the GitHub Actions, GitLab CI/CD, or CircleCI button.
3334

3435
<Screenshot src="/packages-and-modules/securing-your-code/trusted-publisher.png" alt="Screenshot showing the Trusted Publisher section with Select your publisher label and provider buttons" />
3536

@@ -59,6 +60,18 @@ Configure the following fields:
5960

6061
<Screenshot src="/packages-and-modules/securing-your-code/trusted-publisher-gitlab.png" alt="Screenshot of GitLab CI/CD trusted publisher configuration form" />
6162

63+
#### For CircleCI
64+
65+
Configure the following fields:
66+
67+
- **Organization ID** (required): Your CircleCI organization ID (UUID format). You may find it from your CircleCI Organization Settings Overview page.
68+
- **Project ID** (required): Your CircleCI project ID (UUID format). You may find it from your CircleCI Project Settings Overview page.
69+
- **Pipeline definition ID** (required): The pipeline definition ID (UUID format). You may find it from your CircleCI Project Settings under Project Setup page.
70+
- **VCS origin** (required): The VCS origin URL for your project (e.g., `github.com/myorg/myrepo`)
71+
- **Context IDs** (optional): Restrict publishing to jobs using specific CircleCI contexts. You may find them from your CircleCI Organization Settings Contexts.
72+
73+
<Screenshot src="/packages-and-modules/securing-your-code/trusted-publisher-circleci.png" alt="Screenshot of CircleCI trusted publisher configuration form" />
74+
6275
<Note>
6376

6477
**Note:** Each package can only have one trusted publisher configured at a time.
@@ -145,6 +158,47 @@ The `id_tokens` configuration tells GitLab to generate an OIDC token for npm. Le
145158

146159
</Note>
147160

161+
#### CircleCI configuration
162+
163+
Set the `NPM_ID_TOKEN` environment variable with an OIDC token from CircleCI, and npm CLI handles the token exchange automatically. Here's a complete example:
164+
165+
```yaml
166+
version: 2.1
167+
168+
jobs:
169+
publish:
170+
docker:
171+
- image: cimg/node:22.14
172+
steps:
173+
- checkout
174+
- run:
175+
name: Install dependencies
176+
command: npm ci
177+
- run:
178+
name: Run tests
179+
command: npm test
180+
- run:
181+
name: Build
182+
command: npm run build --if-present
183+
- run:
184+
name: Publish to npm with OIDC
185+
command: |
186+
export NPM_ID_TOKEN=$(circleci run oidc get --claims '{"aud": "npm:registry.npmjs.org"}')
187+
npm publish
188+
189+
workflows:
190+
publish:
191+
jobs:
192+
- publish:
193+
filters:
194+
tags:
195+
only: /^v.*/
196+
branches:
197+
ignore: /.*/
198+
```
199+
200+
The `circleci run oidc get` command retrieves an OIDC token from CircleCI. When `NPM_ID_TOKEN` is set, the npm CLI automatically exchanges it for a short-lived publish token. Learn more in [CircleCI's OIDC documentation](https://circleci.com/docs/openid-connect-tokens/).
201+
148202
### Managing trusted publisher configurations
149203

150204
You can modify or remove your trusted publisher configuration at any time through your package settings on [npmjs.com](https://npmjs.com) → Packages → YOUR_PACKAGE → Settings → Trusted publishing. Each package can only have one trusted publisher connection at a time, but this connection can be edited or deleted as needed. To change providers (for example, switching from GitHub Actions to GitLab CI/CD), simply edit your existing configuration and select the new provider. The change takes effect immediately for future publishes. To remove trusted publishing entirely and return to token-based authentication, delete the trusted publisher configuration from your package settings.
@@ -177,7 +231,13 @@ This ensures a smooth transition without disrupting your release process.
177231

178232
## Automatic provenance generation
179233

180-
When you publish using trusted publishing, npm automatically generates and publishes [provenance attestations](./generating-provenance-statements) for your package. This happens by default—you don't need to add the `--provenance` flag to your publish command.
234+
When you publish using trusted publishing from GitHub Actions or GitLab CI/CD, npm automatically generates and publishes [provenance attestations](./generating-provenance-statements) for your package. This happens by default—you don't need to add the `--provenance` flag to your publish command.
235+
236+
<Note>
237+
238+
**Note:** Provenance generation is not currently supported for CircleCI. Packages published via CircleCI trusted publishing will not include provenance attestations.
239+
240+
</Note>
181241

182242
<Screenshot src="/packages-and-modules/securing-your-code/trusted-publisher-provenance.png" alt="Screenshot showing provenance badge/information on a package page" />
183243

@@ -264,7 +324,7 @@ Consider implementing these additional security practices:
264324

265325
## Troubleshooting
266326

267-
If you encounter an "Unable to authenticate" error when publishing, first verify that the workflow filename matches exactly what you configured on [npmjs.com](https://npmjs.com), including the `.yml` extension. All fields are case-sensitive and must be exact. Also ensure you're using GitHub-hosted runners or GitLab.com shared runners, as self-hosted runners are not currently supported. For GitHub Actions specifically, check that the `id-token: write` permission is set in your workflow.
327+
If you encounter an "Unable to authenticate" error when publishing, first verify that the workflow filename matches exactly what you configured on [npmjs.com](https://npmjs.com), including the `.yml` extension. All fields are case-sensitive and must be exact. Also ensure you're using GitHub-hosted runners, GitLab.com shared runners, or CircleCI cloud, as self-hosted runners are not currently supported. For GitHub Actions specifically, check that the `id-token: write` permission is set in your workflow. For CircleCI, verify that your Organization ID, Project ID, and Pipeline definition ID match your CircleCI configuration.
268328

269329
<Note>
270330

@@ -292,4 +352,5 @@ We intend to expand trusted publishing support to additional CI/CD providers and
292352
- [OpenSSF Trusted Publishers specification](https://repos.openssf.org/trusted-publishers-for-all-package-repositories)
293353
- [GitHub Actions OIDC documentation](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect)
294354
- [GitLab CI/CD OIDC documentation](https://docs.gitlab.com/ee/ci/cloud_services/)
355+
- [CircleCI OIDC documentation](https://circleci.com/docs/openid-connect-tokens/)
295356
- [API documentation for exchanging OIDC ID token for npm registry token](https://api-docs.npmjs.com/#tag/registry.npmjs.org/operation/exchangeOidcToken)
137 KB
Loading
842 Bytes
Loading

0 commit comments

Comments
 (0)