npm publish from CI
npm publish uploads your package to a registry.
Publishing from CI on a tag is the standard release flow. Use provenance and scoped access to publish safely.
Common flags
--access public- required for new scoped packages--provenance- attach build provenance--tag next- publish under a dist-tag--dry-run- verify without uploading
Example in CI
Publish with provenance on a release tag.
shell
npm publish --provenance --access publicIn CI
Set //registry.npmjs.org/:_authToken=\${NPM_TOKEN} in .npmrc. --provenance requires OIDC permissions (id-token: write).
Key takeaways
--access publicfor scoped first publishes.--provenanceneedsid-token: write.- Authenticate via
.npmrctoken.