How to Publish to npm on Release With Provenance in GitHub Actions
npm publish --provenance generates a signed, OIDC-backed link between the published tarball and the exact workflow run that built it.
Trigger on release: published, grant id-token: write, set the npm registry, and run npm publish --provenance --access public with an automation token.
Steps
- Trigger on
releasewithtypes: [published]. - Grant
id-token: write(andcontents: read). - Configure
setup-nodewith the npmregistry-url. - Run
npm publish --provenancewithNODE_AUTH_TOKEN.
Workflow
.github/workflows/release.yml
on:
release:
types: [published]
permissions:
contents: read
id-token: write
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: https://registry.npmjs.org
- run: npm ci
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}Gotchas
- Provenance requires
id-token: write; without it npm rejects the--provenanceflag. - The package must be public (or use a paid plan) for provenance to be generated.
Related guides
How to Sign Release Artifacts With Cosign in GitHub ActionsKeyless-sign release files in GitHub Actions with Cosign and Sigstore using OIDC, producing signature and cer…
How to Attach an SBOM to a Release in GitHub ActionsGenerate a Software Bill of Materials with Syft in GitHub Actions and attach it to the GitHub Release, so con…