deno publish: Publish to JSR in CI
deno publish uploads a package to JSR, validating its config and types before it goes out.
Publishing from CI keeps releases reproducible. deno publish supports OIDC so a GitHub Actions job can publish without a long-lived token.
What it does
deno publish reads name and version from deno.json, validates the package (including JSR slow-type rules), and uploads it to the registry. From a supported CI provider it can authenticate via OIDC rather than a token.
Common usage
deno publish --dry-run
deno publish
# CI: publish allowing a dirty tree is sometimes needed
deno publish --allow-dirtyOptions
| Flag | What it does |
|---|---|
| --dry-run | Validate and show what would publish without uploading |
| --allow-dirty | Publish even with uncommitted changes |
| --no-check | Skip type-checking before publishing |
| --token <token> | Authenticate with a token instead of OIDC |
| --allow-slow-types | Publish despite slow-type diagnostics |
In CI
Run deno publish --dry-run on pull requests to catch problems early, and the real publish on a tagged release. On GitHub Actions, grant id-token: write so OIDC works and no token secret is needed. Keep the version in deno.json as the single source of truth.
Common errors in CI
"error: Package contains slow types" means an exported symbol lacks an explicit type that JSR requires; add the annotation or pass --allow-slow-types. "Version already exists" means deno.json was not bumped. "Failed to authenticate" from CI usually means missing id-token: write permission for OIDC. "Uncommitted changes" calls for committing or --allow-dirty.