How to Configure a Scoped Registry in .npmrc for Publishing
Map the scope to its registry and supply a per-registry _authToken in .npmrc so both install and publish resolve the scoped package correctly in CI.
A .npmrc can route different scopes to different registries. Set @scope:registry=<url> and a matching //host/:_authToken= line. This lets one CI job pull private deps from one registry and publish to another without ambiguity.
Steps
- Add
@scope:registry=<url>for the scope you publish or install. - Add
//host/:_authToken=${TOKEN}for that same host. - Reference the token from an env var so no secret is committed.
.npmrc
.npmrc
@my-org:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
registry=https://registry.npmjs.org/
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
always-auth=trueWorkflow
.github/workflows/ci.yml
- run: npm ci
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- run: npm publish
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}Gotchas
- The
_authTokenhost must exactly match the registry host, including any path segment. - Never commit the resolved token; keep the
${VAR}form so npm expands it at runtime.
Related guides
How to Publish an npm Package to GitHub PackagesPublish a scoped npm package to GitHub Packages from CI by pointing the registry at npm.pkg.github.com and au…
How to Publish an npm Package From CIPublish an npm package from CI with npm publish and an NPM_TOKEN automation token, setting registry auth in .…
How to Handle 2FA With Automation Tokens When PublishingPublish from CI when 2FA is enabled by using an automation token that bypasses the interactive one-time-passw…