Skip to content
Latchkey

deno publish: Publish to JSR in CI

deno publish uploads a package to JSR, validating its config and types before it goes out.

Publishing from CI keeps releases reproducible. deno publish supports OIDC so a GitHub Actions job can publish without a long-lived token.

What it does

deno publish reads name and version from deno.json, validates the package (including JSR slow-type rules), and uploads it to the registry. From a supported CI provider it can authenticate via OIDC rather than a token.

Common usage

Terminal
deno publish --dry-run
deno publish
# CI: publish allowing a dirty tree is sometimes needed
deno publish --allow-dirty

Options

FlagWhat it does
--dry-runValidate and show what would publish without uploading
--allow-dirtyPublish even with uncommitted changes
--no-checkSkip type-checking before publishing
--token <token>Authenticate with a token instead of OIDC
--allow-slow-typesPublish despite slow-type diagnostics

In CI

Run deno publish --dry-run on pull requests to catch problems early, and the real publish on a tagged release. On GitHub Actions, grant id-token: write so OIDC works and no token secret is needed. Keep the version in deno.json as the single source of truth.

Common errors in CI

"error: Package contains slow types" means an exported symbol lacks an explicit type that JSR requires; add the annotation or pass --allow-slow-types. "Version already exists" means deno.json was not bumped. "Failed to authenticate" from CI usually means missing id-token: write permission for OIDC. "Uncommitted changes" calls for committing or --allow-dirty.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →