How to Publish an npm Package With Provenance in GitHub Actions
With id-token: write and npm publish --provenance, npm records a signed link from the published version back to this exact workflow run.
Provenance attaches a verifiable attestation showing where and how the package was built. Set the registry, grant id-token: write, and pass --provenance (or provenance=true in .npmrc) on publish.
Steps
- Use
actions/setup-nodewithregistry-url: https://registry.npmjs.org. - Add
permissions: id-token: writeandcontents: read. - Publish with
npm publish --provenance --access publicusing an automation token.
Workflow
.github/workflows/publish.yml
permissions:
id-token: write
contents: read
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: https://registry.npmjs.org
- run: npm ci && npm run build
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}Common pitfalls
- Provenance requires
id-token: write; without itnpm publish --provenanceexits with an error. - Provenance is only generated on supported CI (like GitHub Actions) and a public registry; it will not attach for a private scope.
- A classic read-only token cannot publish; use an automation token with publish rights as
NODE_AUTH_TOKEN.
Related guides
How to Publish a PyPI Package via Trusted Publishing in GitHub ActionsPublish a Python package to PyPI from GitHub Actions without an API token using Trusted Publishing (OIDC) and…
How to Create a GitHub Release With a Changelog in GitHub ActionsCut a GitHub Release with auto-generated notes from GitHub Actions using softprops/action-gh-release or the g…