npm publish "--provenance" OIDC generation failed in CI
npm publish --provenance signs an attestation using an OIDC id-token minted by the CI provider. If the workflow does not grant id-token: write, or runs somewhere npm does not support provenance, the publish fails before uploading.
What this error means
npm publish --provenance fails with a provenance error such as "Provenance generation in GitHub Actions requires \"write\" access to the \"id-token\" permission" or "Failed to get OIDC token".
npm error Provenance generation in GitHub Actions requires "write" access to the "id-token" permission. This can be set in the workflow file.
npm error code EUSAGECommon causes
The workflow does not grant id-token: write
Provenance is built from an OIDC token. Without permissions: id-token: write, GitHub will not mint the token and npm cannot generate the attestation.
Provenance run outside a supported CI or registry
npm only supports provenance from supported CI providers publishing to a registry that accepts attestations; running elsewhere errors.
How to fix it
Grant the id-token permission to the job
Add the OIDC permission and publish with --provenance so npm can mint and attach the attestation.
permissions:
contents: read
id-token: write
jobs:
publish:
steps:
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}Require a modern npm and supported CI
Provenance needs a recent npm (9.5+) and a supported CI provider. Upgrade npm in the job before publishing.
npm install -g npm@latest
npm --versionHow to prevent it
- Add
id-token: writeto any job that publishes with provenance. - Keep npm current so provenance support is present.
- Publish provenance from a supported CI provider and registry only.