Skip to content
Latchkey

How to Publish to npm on Release With Provenance in GitHub Actions

npm publish --provenance generates a signed, OIDC-backed link between the published tarball and the exact workflow run that built it.

Trigger on release: published, grant id-token: write, set the npm registry, and run npm publish --provenance --access public with an automation token.

Steps

  • Trigger on release with types: [published].
  • Grant id-token: write (and contents: read).
  • Configure setup-node with the npm registry-url.
  • Run npm publish --provenance with NODE_AUTH_TOKEN.

Workflow

.github/workflows/release.yml
on:
  release:
    types: [published]
permissions:
  contents: read
  id-token: write
jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 20
          registry-url: https://registry.npmjs.org
      - run: npm ci
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Gotchas

  • Provenance requires id-token: write; without it npm rejects the --provenance flag.
  • The package must be public (or use a paid plan) for provenance to be generated.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →