How to Publish an npm Package in GitHub Actions
Publish to npm from a release workflow by wiring setup-node to the registry and exposing NODE_AUTH_TOKEN.
Use actions/setup-node with registry-url to write an .npmrc, then npm publish reads NODE_AUTH_TOKEN. Add --provenance for a signed supply-chain attestation.
Publish on a release
The registry URL makes setup-node write auth config; the token is supplied via the env at publish time.
.github/workflows/publish.yml
on:
release:
types: [published]
jobs:
publish:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write # required for --provenance
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: https://registry.npmjs.org
- run: npm ci
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}Gotchas
- The token env var must be exactly
NODE_AUTH_TOKEN-setup-nodewrites an.npmrcthat references it by that name. --provenanceneedspermissions: id-token: writeand a public npm package; without the permission it errors.- Use an npm automation token (bypasses 2FA) stored as
secrets.NPM_TOKEN, not a personal publish token.
Related guides
How to Publish an npm Package in GitLab CIPublish an npm package from GitLab CI to npmjs or the GitLab Package Registry - write .npmrc with the CI job…
How to Publish an npm Package in CircleCIPublish an npm package from CircleCI on a tag - authenticate with an NPM_TOKEN from a context and run npm pub…