选择命令行版本:
🌐 Synopsis
npm trust
注意:此命令不支持工作区。
🌐 Note: This command is unaware of workspaces.
🌐 Prerequisites
在使用 npm trust 命令之前,请确保满足以下要求:
🌐 Before using npm trust commands, ensure the following requirements are met:
npm@11.10.0 或以上版本。如有需要,请使用 npm install -g npm@^11.10.0 更新。🌐 Description
使用 OpenID Connect (OIDC) 配置 npm 包与 CI/CD 提供商之间的信任关系。这是管理 npm 网站上受信任发布者配置的命令行等效操作。
🌐 Configure trust relationships between npm packages and CI/CD providers using OpenID Connect (OIDC). This is the command-line equivalent of managing trusted publisher configurations on the npm website.
有关受信任发布者的全面概述,请参阅 npm 受信任发布者文档。
🌐 For a comprehensive overview of trusted publishing, see the npm trusted publishers documentation.
[package] 参数指定包名称。如果省略,npm 将使用当前目录中 package.json 的名称。
🌐 The [package] argument specifies the package name. If omitted, npm will use the name from the package.json in the current directory.
每个信任关系都有自己的一套配置选项和标志,这些选项和标志基于该提供商提供的 OIDC 声明。OIDC 声明来自 CI/CD 提供商,并包含如存储库名称、工作流文件或环境等信息。由于每个提供商的声明不同,可用的标志和配置键并非通用——npm 会匹配每个提供商 OIDC 配置中支持的声明。有关特定提供商支持哪些声明和标志的详细信息,请使用 npm trust <provider> --help。
所需的选项取决于你正在配置的 CI/CD 提供程序。有关每个选项的详细信息,请参阅 npm 文档中的管理受信任发布者配置部分。如果提供程序是基于存储库的且未提供该选项,npm 将使用你 package.json 中的 repository.url 字段(如果可用)。
🌐 The required options depend on the CI/CD provider you're configuring. Detailed information about each option is available in the managing trusted publisher configurations section of the npm documentation. If a provider is repository-based and the option is not provided, npm will use the repository.url field from your package.json, if available.
目前,注册表每个软件包只支持一个配置。如果你在已有信任关系时尝试创建新的信任关系,将会导致错误。要替换现有配置:
🌐 Currently, the registry only supports one configuration per package. If you attempt to create a new trust relationship when one already exists, it will result in an error. To replace an existing configuration:
npm trust list [package] 查看现有受信任发布者的 IDnpm trust revoke --id <id> [package] 删除现有的配置🌐 Bulk Usage
对于管理大量软件包的维护者,你可以使用 bash 脚本批量配置受信任的发布。创建一个循环,遍历软件包名称及其对应的配置详情,对每个软件包执行带有 --yes 标志的 npm trust <provider> 命令。
🌐 For maintainers managing a large number of packages, you can configure trusted publishing in bulk using bash scripting. Create a loop that iterates through package names and their corresponding configuration details, executing the npm trust <provider> command with the --yes flag for each package.
第一个请求将需要两因素认证。在进行两因素认证时,你将在 npm 网站上看到一个选项,可以跳过接下来的 5 分钟的两因素认证。启用此选项将允许后续的 npm trust <provider> 命令在无需两因素认证的情况下继续,从而简化批量配置过程。
🌐 The first request will require two-factor authentication. During two-factor authentication, you'll see an option on the npm website to skip two-factor authentication for the next 5 minutes. Enabling this option will allow subsequent npm trust <provider> commands to proceed without two-factor authentication, streamlining the bulk configuration process.
我们建议在每次调用之间添加 2 秒的延迟,以避免速率限制。采用这种方法,你可以在 5 分钟的双因素认证跳过窗口内配置大约 80 个软件包。
🌐 We recommend adding a 2-second sleep between each call to avoid rate limiting. With this approach, you can configure approximately 80 packages within the 5-minute two-factor authentication skip window.
🌐 Configuration
npm trust github在软件包与 GitHub Actions 之间建立可信关系
🌐 Create a trusted relationship between a package and GitHub Actions
🌐 Synopsis
npm trust github [package] --file [--repo|--repository] [--env|--environment] [-y|--yes]
🌐 Flags
| Flag | Default | Type | Description |
|---|---|---|---|
--file | null | String (required) | Name of workflow file within a repositories .GitHub folder (must end in yaml, yml) |
--repository, --repo | null | String | Name of the repository in the format owner/repo |
--environment, --env | null | String | CI environment name |
--dry-run | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, install, update, dedupe, uninstall, as well as pack and publish. Note: This is NOT honored by other network related commands, eg dist-tags, owner, etc. |
--json | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In npm pkg set it enables parsing set values with JSON.parse() before saving them to your package.json. Not supported by all npm commands. |
--registry | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. |
--yes, -y | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
npm trust gitlab在软件包与 GitLab CI/CD 之间建立可信关系
🌐 Create a trusted relationship between a package and GitLab CI/CD
🌐 Synopsis
npm trust gitlab [package] --file [--project|--repo|--repository] [--env|--environment] [-y|--yes]
🌐 Flags
| Flag | Default | Type | Description |
|---|---|---|---|
--file | null | String (required) | Name of pipeline file (e.g., .gitlab-ci.yml) |
--project | null | String | Name of the project in the format group/project or group/subgroup/project |
--environment, --env | null | String | CI environment name |
--dry-run | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, install, update, dedupe, uninstall, as well as pack and publish. Note: This is NOT honored by other network related commands, eg dist-tags, owner, etc. |
--json | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In npm pkg set it enables parsing set values with JSON.parse() before saving them to your package.json. Not supported by all npm commands. |
--registry | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. |
--yes, -y | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
npm trust circleci在软件包和CircleCI之间建立可信关系
🌐 Create a trusted relationship between a package and CircleCI
🌐 Synopsis
npm trust circleci [package] --org-id <uuid> --project-id <uuid> --pipeline-definition-id <uuid> --vcs-origin <origin> [--context-id <uuid>...] [-y|--yes]
🌐 Flags
| Flag | Default | Type | Description |
|---|---|---|---|
--org-id | null | String (required) | CircleCI organization UUID |
--project-id | null | String (required) | CircleCI project UUID |
--pipeline-definition-id | null | String (required) | CircleCI pipeline definition UUID |
--vcs-origin | null | String (required) | CircleCI repository origin in format 'provider/owner/repo' |
--context-id | null | null or String (can be set multiple times) | CircleCI context UUID to match |
--dry-run | false | Boolean | Indicates that you don't want npm to make any changes and that it should only report what it would have done. This can be passed into any of the commands that modify your local installation, eg, install, update, dedupe, uninstall, as well as pack and publish. Note: This is NOT honored by other network related commands, eg dist-tags, owner, etc. |
--json | false | Boolean | Whether or not to output JSON data, rather than the normal output. * In npm pkg set it enables parsing set values with JSON.parse() before saving them to your package.json. Not supported by all npm commands. |
--registry | "https://registry.npmjs.org/" | URL | The base URL of the npm registry. |
--yes, -y | null | null or Boolean | Automatically answer "yes" to any prompts that npm might print on the command line. |
npm trust list列出软件包的受信任关系
🌐 List trusted relationships for a package
🌐 Synopsis
npm trust list [package]
🌐 Flags
| 标志 | 默认值 | 类型 | 描述 |
|---|---|---|---|
--json | false | 布尔值 | 是否输出 JSON 数据,而不是正常的输出。* 在 npm pkg set 中,它允许在保存到你的 package.json 之前用 JSON.parse() 解析设置的值。并非所有 npm 命令都支持。 |
--registry | "https://registry.npmjs.org/" | URL | npm 注册表的基础 URL。 |
npm trust revoke撤销包的受信任关系
🌐 Revoke a trusted relationship for a package
🌐 Synopsis
npm trust revoke [package] --id=<trust-id>
🌐 Flags
| 标志 | 默认值 | 类型 | 描述 |
|---|---|---|---|
--id | null | 字符串(必填) | 要撤销的受信任关系的 ID |
--dry-run | false | 布尔值 | 表示你不希望 npm 做任何更改,只希望它报告将会做的操作。这可以传递给修改本地安装的任何命令,例如 install、update、dedupe、uninstall,以及 pack 和 publish。注意:其他与网络相关的命令(例如 dist-tags、owner 等)不会遵守此选项。 |
--registry | "https://registry.npmjs.org/" | URL | npm 注册表的基础 URL。 |
🌐 See Also