[Feature] Automatically enable provenance when under the right conditions #7017
Description
- I'd be willing to implement this feature (contributing guide)
- This feature is important to have in this repository; a contrib plugin wouldn't do
Describe the user story
Hi!
Features implemented in #6750 and #6898 are currently independent: you can publish with provenance and without OIDC and vice versa.
Describe the solution you'd like
When OIDC is enabled, provenance should be on by default. Since we run in a trusted environment, it would be a shame not to enable all security features.
This feature is enabled for NPM:
Get automatic provenance: When using trusted publishing, npm CLI publishes provenance attestations by default. The --provenance flag is no longer needed.
https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/
Describe the drawbacks of your solution
On GitLab it requires two signed tokens instead of one:
id_tokens:
NPM_ID_TOKEN: # used for OIDC
aud: "npm:registry.npmjs.org"
SIGSTORE_ID_TOKEN: # user for provenance
aud: sigstoreThe npm documentation never seems to list NPM_ID_TOKEN without SIGSTORE_ID_TOKEN, but we're never too sure about user-land code: https://docs.npmjs.com/trusted-publishers#gitlab-cicd-configuration
It may be safer to only enable this on GitHub
Describe alternatives you've considered
n/a