You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+23-41Lines changed: 23 additions & 41 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -32,16 +32,14 @@ jobs:
32
32
contents: read
33
33
id-token: write
34
34
steps:
35
-
- uses: actions/checkout@v5
36
-
- uses: actions/setup-node@v5
35
+
- uses: actions/checkout@v6
36
+
- uses: actions/setup-node@v6
37
37
with:
38
38
node-version: "24"
39
39
registry-url: "https://registry.npmjs.org"
40
40
- run: npm ci
41
41
- run: npm test
42
-
- run: npm publish --provenance --ignore-scripts
43
-
env:
44
-
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
42
+
- run: npm publish --ignore-scripts
45
43
```
46
44
47
45
See GitHub's [Node.js publishing][] guide and npm's [trusted publishing][] docs for more details and examples.
@@ -78,7 +76,7 @@ This package can be used three different ways:
78
76
79
77
## GitHub Action
80
78
81
-
To use the GitHub Action, you'll need to add it as a step in your [workflow file][]. By default, the only thing you need to do is set the `token` parameter to your [npm authentication token][].
79
+
To use the GitHub Action, you'll need to add it as a step in your [workflow file][]. By default, the only thing you need to do is set `permissions.id-token` to `write` to enable [trusted publishing][] via OIDC.
82
80
83
81
```yaml
84
82
on:
@@ -88,41 +86,27 @@ on:
88
86
jobs:
89
87
publish:
90
88
runs-on: ubuntu-latest
89
+
permissions:
90
+
contents: read
91
+
id-token: write
91
92
steps:
92
-
- uses: actions/checkout@v5
93
-
- uses: actions/setup-node@v5
93
+
- uses: actions/checkout@v6
94
+
- uses: actions/setup-node@v6
94
95
with:
95
96
node-version: "24"
96
97
- run: npm ci
97
98
- run: npm test
98
99
- uses: JS-DevTools/npm-publish@v4
99
-
with:
100
-
token: ${{ secrets.NPM_TOKEN }}
101
100
```
102
101
103
-
If you have [trusted publishing][] configured for your package and use `npm@>=11.5.1`, you can omit the `token` input and use OIDC instead.
104
-
105
102
> [!IMPORTANT]
106
-
> If you're publishing a private package, you will still need to provide a read-only `token` so the action can read existing versions from the registry before publish.
107
-
108
-
```diff
109
-
jobs:
110
-
publish:
111
-
runs-on: ubuntu-latest
112
-
+ permissions:
113
-
+ contents: read
114
-
+ id-token: write # required to use OIDC
115
-
steps:
116
-
- uses: actions/checkout@v5
117
-
- uses: actions/setup-node@v5
118
-
with:
119
-
node-version: "24" # includes npm@11.6.0
120
-
- run: npm ci
121
-
- run: npm test
122
-
- uses: JS-DevTools/npm-publish@v4
123
-
- with:
124
-
- token: ${{ secrets.NPM_TOKEN }}
125
-
```
103
+
> If you're publishing a private package with [trusted publishing][], you will still need to provide a read-only [`token`][npm authentication token] so the action can read existing versions from the registry before publish.
104
+
>
105
+
> ```diff
106
+
> - uses: JS-DevTools/npm-publish@v4
107
+
> + with:
108
+
> + token: ${{ secrets.NPM_TOKEN }}
109
+
> ```
126
110
127
111
You can also publish to third-party registries. For example, to publish to the [GitHub Package Registry][], set `token` to `secrets.GITHUB_TOKEN` and `registry` to `https://npm.pkg.github.com`:
128
112
@@ -138,8 +122,8 @@ jobs:
138
122
contents: read
139
123
packages: write # allow GITHUB_TOKEN to publish packages
140
124
steps:
141
-
- uses: actions/checkout@v5
142
-
- uses: actions/setup-node@v5
125
+
- uses: actions/checkout@v6
126
+
- uses: actions/setup-node@v6
143
127
with:
144
128
node-version: "24"
145
129
- run: npm ci
@@ -161,7 +145,7 @@ You can set any or all of the following input parameters using `with`:
| `package` | string | Current working directory | Path to a package directory, a `package.json`, or a packed `.tgz` to publish. |
243
225
| `tag`¹ | string | `latest` | [Distribution tag][npm-tag] to publish to. |
@@ -246,7 +228,7 @@ import type { Options } from "@jsdevtools/npm-publish";
246
228
| `strategy` | `all`, `upgrade` | `all` | Use `all` to publish all unique versions, `upgrade` for only semver upgrades. |
247
229
| `ignoreScripts` | boolean | `true` | Run `npm publish` with the `--ignore-scripts` flag as a security precaution. |
248
230
| `dryRun` | boolean | `false` | Run `npm publish` with the `--dry-run` flag to prevent publication. |
249
-
| `logger` | object | `undefined` | Logging interface with `debug`, `info`, and `error` log methods. |
231
+
| `logger` | object | None | Logging interface with `debug`, `info`, and `error` log methods. |
250
232
| `temporaryDirectory` | string | `os.tmpdir()` | Temporary directory to hold a generated `.npmrc` file |
251
233
252
234
1. May be specified using `publishConfig` in `package.json`.
@@ -395,7 +377,7 @@ The `check-version` and `greater-version-only` boolean options were replaced wit
395
377
`check-version: false` has been removed. If you only need to publish, without first checking whether the version exists in the registry, you can [use `npm` directly][publishing-nodejs-packages] instead:
396
378
397
379
```diff
398
-
- uses: actions/setup-node@v5
380
+
- uses: actions/setup-node@v6
399
381
with:
400
382
node-version: '24'
401
383
+ registry-url: https://registry.npmjs.org/
@@ -447,7 +429,7 @@ If you can't change your build, you can set the `ignore-scripts` input to `false
447
429
The global `.npmrc` file is no longer read nor modified. This means the `token` option is now required for the library and CLI. (It was already required for the action.) You may have workarounds in place referencing `INPUT_TOKEN`, which v1 [erroneously wrote][#15] to `.npmrc`. These workarounds should be removed.
0 commit comments