Skip to content
Latchkey

How to Publish an npm Package in GitHub Actions

Publish to npm from a release workflow by wiring setup-node to the registry and exposing NODE_AUTH_TOKEN.

Use actions/setup-node with registry-url to write an .npmrc, then npm publish reads NODE_AUTH_TOKEN. Add --provenance for a signed supply-chain attestation.

Publish on a release

The registry URL makes setup-node write auth config; the token is supplied via the env at publish time.

.github/workflows/publish.yml
on:
  release:
    types: [published]
jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write          # required for --provenance
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          registry-url: https://registry.npmjs.org
      - run: npm ci
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Gotchas

  • The token env var must be exactly NODE_AUTH_TOKEN - setup-node writes an .npmrc that references it by that name.
  • --provenance needs permissions: id-token: write and a public npm package; without the permission it errors.
  • Use an npm automation token (bypasses 2FA) stored as secrets.NPM_TOKEN, not a personal publish token.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →