Engineering
npm-trusted-publishing avatar

npm-trusted-publishing

Implement secure, tokenless npm publishing in GitHub Actions using OIDC, provenance attestations, and monorepo-friendly configuration.

Introduction

This skill provides a standardized approach for automating npm package publishing from GitHub Actions pipelines. By leveraging OpenID Connect (OIDC) trusted publishing, it eliminates the need for storing sensitive, long-lived NPM_TOKEN secrets in your repository settings, significantly reducing the risk of token leakage. It is designed for developers, maintainers, and DevOps engineers managing single packages or complex monorepo structures. The workflow ensures your registry authentication is short-lived, ephemeral, and verified by GitHub's identity service.

  • Enables secure OIDC-based authentication between GitHub Actions and the npm registry.

  • Configures mandatory provenance attestations, which provide verifiable information about the build process and source repository for consumers.

  • Supports monorepo setups by explicitly handling directory mapping for sub-packages.

  • Provides a robust, battle-tested YAML workflow template ready for integration into your CI/CD pipelines.

  • Includes automatic npm version management to ensure compatibility with modern OIDC-based publishing requirements.

  • Facilitates clean migration from traditional token-based authentication to industry-standard trusted publishing.

  • Ensure your repository's package.json includes a valid repository.url field pointing to your GitHub source to allow npm to verify the provenance of the publication.

  • The workflow requires the id-token: write permission in your GitHub Actions configuration to generate the necessary identity tokens for the npm registry.

  • Use the --provenance flag in your npm publish command to provide transparency and security metadata for your packages.

  • For monorepo configurations, always verify that the repository.directory field matches the relative path from the repository root to the specific package.

  • If you encounter 404 or authentication errors, ensure your npm client is updated to the latest version within your runner environment as older versions may lack support for the latest OIDC handshake protocols.

Repository Stats

Stars
106
Forks
12
Open Issues
4
Language
TypeScript
Default Branch
main
Sync Status
Idle
Last Synced
Apr 30, 2026, 11:10 AM
View on GitHub