Skip to content
Latchkey

npm publish from CI

npm publish uploads your package to a registry.

Publishing from CI on a tag is the standard release flow. Use provenance and scoped access to publish safely.

Common flags

  • --access public - required for new scoped packages
  • --provenance - attach build provenance
  • --tag next - publish under a dist-tag
  • --dry-run - verify without uploading

Example in CI

Publish with provenance on a release tag.

shell
npm publish --provenance --access public

In CI

Set //registry.npmjs.org/:_authToken=\${NPM_TOKEN} in .npmrc. --provenance requires OIDC permissions (id-token: write).

Key takeaways

  • --access public for scoped first publishes.
  • --provenance needs id-token: write.
  • Authenticate via .npmrc token.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →