Skip to content
Latchkey

npm publish "--provenance" OIDC generation failed in CI

npm publish --provenance signs an attestation using an OIDC id-token minted by the CI provider. If the workflow does not grant id-token: write, or runs somewhere npm does not support provenance, the publish fails before uploading.

What this error means

npm publish --provenance fails with a provenance error such as "Provenance generation in GitHub Actions requires \"write\" access to the \"id-token\" permission" or "Failed to get OIDC token".

npm
npm error Provenance generation in GitHub Actions requires "write" access to the "id-token" permission. This can be set in the workflow file.
npm error code EUSAGE

Common causes

The workflow does not grant id-token: write

Provenance is built from an OIDC token. Without permissions: id-token: write, GitHub will not mint the token and npm cannot generate the attestation.

Provenance run outside a supported CI or registry

npm only supports provenance from supported CI providers publishing to a registry that accepts attestations; running elsewhere errors.

How to fix it

Grant the id-token permission to the job

Add the OIDC permission and publish with --provenance so npm can mint and attach the attestation.

.github/workflows/release.yml
permissions:
  contents: read
  id-token: write
jobs:
  publish:
    steps:
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

Require a modern npm and supported CI

Provenance needs a recent npm (9.5+) and a supported CI provider. Upgrade npm in the job before publishing.

Terminal
npm install -g npm@latest
npm --version

How to prevent it

  • Add id-token: write to any job that publishes with provenance.
  • Keep npm current so provenance support is present.
  • Publish provenance from a supported CI provider and registry only.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →