Skip to content
Latchkey

How to Configure a Scoped Registry in .npmrc for Publishing

Map the scope to its registry and supply a per-registry _authToken in .npmrc so both install and publish resolve the scoped package correctly in CI.

A .npmrc can route different scopes to different registries. Set @scope:registry=<url> and a matching //host/:_authToken= line. This lets one CI job pull private deps from one registry and publish to another without ambiguity.

Steps

  • Add @scope:registry=<url> for the scope you publish or install.
  • Add //host/:_authToken=${TOKEN} for that same host.
  • Reference the token from an env var so no secret is committed.

.npmrc

.npmrc
@my-org:registry=https://npm.pkg.github.com
//npm.pkg.github.com/:_authToken=${GITHUB_TOKEN}
registry=https://registry.npmjs.org/
//registry.npmjs.org/:_authToken=${NPM_TOKEN}
always-auth=true

Workflow

.github/workflows/ci.yml
- run: npm ci
  env:
    GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
- run: npm publish
  env:
    NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

Gotchas

  • The _authToken host must exactly match the registry host, including any path segment.
  • Never commit the resolved token; keep the ${VAR} form so npm expands it at runtime.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →