diff --git a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx index ae5b873ebd5..0b88329077f 100644 --- a/content/packages-and-modules/securing-your-code/trusted-publishers.mdx +++ b/content/packages-and-modules/securing-your-code/trusted-publishers.mdx @@ -148,6 +148,32 @@ The `id_tokens` configuration tells GitLab to generate an OIDC token for npm. Le You can modify or remove your trusted publisher configuration at any time through your package settings on [npmjs.com](https://npmjs.com). Each package can only have one trusted publisher connection at a time, but this connection can be edited or deleted as needed. To change providers (for example, switching from GitHub Actions to GitLab CI/CD), simply edit your existing configuration and select the new provider. The change takes effect immediately for future publishes. To remove trusted publishing entirely and return to token-based authentication, delete the trusted publisher configuration from your package settings. +## Recommended: Restrict token access when using trusted publishers + +Once you've configured trusted publishers for your package, we strongly recommend restricting traditional token-based publishing access for enhanced security. + +### How to configure maximum security + +1. After enabling trusted publishers, navigate to your package's **Settings** → **Publishing access** +2. Select **"Require two-factor authentication and disallow tokens"** +3. Save your changes by clicking on **Update Package Settings** + +### Why this matters + +Trusted publishers use short-lived, scoped credentials that are generated on-demand during your CI/CD workflow, eliminating the need for long-lived tokens. By restricting traditional token access while using trusted publishers, you reduce potential security risks associated with credential management. + +**Note:** The "disallow tokens" setting only affects traditional token authentication. Your trusted publishers will continue to work normally, as they use OIDC tokens. + +### Migration tip + +If you're transitioning from token-based publishing: + +1. Set up trusted publishers first and verify they work +2. Then restrict token access as described above +3. [Revoke any existing automation tokens](https://docs.npmjs.com/revoking-access-tokens) that are no longer needed + +This ensures a smooth transition without disrupting your release process. + ## Automatic provenance generation When you publish using trusted publishing, npm automatically generates and publishes [provenance attestations](./generating-provenance-statements) for your package. This happens by default—you don't need to add the `--provenance` flag to your publish command.