Skip to content
Latchkey

Release npm packages workflow (NomaDamas/k-skill)

The Release npm packages workflow from NomaDamas/k-skill, explained and optimized by Latchkey.

C

CI health: C - fair

Point runs-on at Latchkey and get run de-duplication, job timeouts, SHA-pinned actions, self-healing for flaky steps, and up to 58% lower cost, applied automatically.

Grade your own workflow free or run it on Latchkey →
Source: NomaDamas/k-skill.github/workflows/release-npm.ymlLicense MITView source

What it does

This is the Release npm packages workflow from the NomaDamas/k-skill repository, a real project running GitHub Actions. It is shown here with attribution under its MIT license.

Below, Latchkey shows a faster, safer version produced by its optimization engine.

The workflow

workflow (.yml)
name: Release npm packages

on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - ".changeset/**"
      - ".github/workflows/release-npm.yml"
      - "package-lock.json"
      - "package.json"
      - "packages/**"

permissions:
  contents: write
  pull-requests: write
  id-token: write

# npm publishes authenticate with the repository-level NPM_TOKEN secret.
# id-token stays enabled so npm can still attach provenance when supported.

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0

      - uses: actions/setup-node@v5
        with:
          node-version: 24
          cache: npm
          registry-url: https://registry.npmjs.org

      - run: npm ci
      - run: npm run ci

      - name: Preflight - verify npm auth
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          set -euo pipefail
          echo "::group::npm whoami"
          NPM_USER=$(npm whoami 2>&1) || {
            echo "::error::npm whoami failed - NPM_TOKEN is invalid or expired. Rotate the token and update the repository secret."
            exit 1
          }
          echo "Authenticated as: ${NPM_USER}"
          echo "::endgroup::"

      - name: Preflight - list unpublished packages (diagnostic)
        run: |
          set -euo pipefail
          echo "Packages that will be published:"
          FOUND=0
          for pkg_json in packages/*/package.json; do
            PRIVATE=$(node -e "console.log(require('./${pkg_json}').private || false)")
            [ "$PRIVATE" = "true" ] && continue

            PKG=$(node -e "console.log(require('./${pkg_json}').name)")
            LOCAL_VER=$(node -e "console.log(require('./${pkg_json}').version)")
            REMOTE_VER=$(npm view "${PKG}" version 2>/dev/null || echo "")

            if [ "${LOCAL_VER}" != "${REMOTE_VER}" ]; then
              echo "  → ${PKG}@${LOCAL_VER} (npm: ${REMOTE_VER:-not yet published})"
              FOUND=1
            fi
          done
          if [ "$FOUND" -eq 0 ]; then
            echo "  (none - all versions are already on npm)"
          fi

      - name: Create npm release PR or publish changed packages
        uses: changesets/action@v1
        with:
          version: npm run version-packages
          publish: npm run release:npm
          commit: "chore: version packages"
          title: "chore: version packages"
          createGithubReleases: false
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
          NPM_CONFIG_PROVENANCE: "true"

The same workflow, on Latchkey

Removes redundant runs and caps runaway jobs. Added and changed lines are highlighted.

name: Release npm packages
 
on:
  workflow_dispatch:
  push:
    branches:
      - main
    paths:
      - ".changeset/**"
      - ".github/workflows/release-npm.yml"
      - "package-lock.json"
      - "package.json"
      - "packages/**"
 
permissions:
  contents: write
  pull-requests: write
  id-token: write
 
# npm publishes authenticate with the repository-level NPM_TOKEN secret.
# id-token stays enabled so npm can still attach provenance when supported.
 
concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true
 
jobs:
  release:
    timeout-minutes: 30
    runs-on: latchkey-small
    steps:
      - uses: actions/checkout@v5
        with:
          fetch-depth: 0
 
      - uses: actions/setup-node@v5
        with:
          node-version: 24
          cache: npm
          registry-url: https://registry.npmjs.org
 
      - run: npm ci
      - run: npm run ci
 
      - name: Preflight - verify npm auth
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
        run: |
          set -euo pipefail
          echo "::group::npm whoami"
          NPM_USER=$(npm whoami 2>&1) || {
            echo "::error::npm whoami failed - NPM_TOKEN is invalid or expired. Rotate the token and update the repository secret."
            exit 1
          }
          echo "Authenticated as: ${NPM_USER}"
          echo "::endgroup::"
 
      - name: Preflight - list unpublished packages (diagnostic)
        run: |
          set -euo pipefail
          echo "Packages that will be published:"
          FOUND=0
          for pkg_json in packages/*/package.json; do
            PRIVATE=$(node -e "console.log(require('./${pkg_json}').private || false)")
            [ "$PRIVATE" = "true" ] && continue
 
            PKG=$(node -e "console.log(require('./${pkg_json}').name)")
            LOCAL_VER=$(node -e "console.log(require('./${pkg_json}').version)")
            REMOTE_VER=$(npm view "${PKG}" version 2>/dev/null || echo "")
 
            if [ "${LOCAL_VER}" != "${REMOTE_VER}" ]; then
              echo "  → ${PKG}@${LOCAL_VER} (npm: ${REMOTE_VER:-not yet published})"
              FOUND=1
            fi
          done
          if [ "$FOUND" -eq 0 ]; then
            echo "  (none - all versions are already on npm)"
          fi
 
      - name: Create npm release PR or publish changed packages
        uses: changesets/action@v1
        with:
          version: npm run version-packages
          publish: npm run release:npm
          commit: "chore: version packages"
          title: "chore: version packages"
          createGithubReleases: false
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
          NPM_CONFIG_PROVENANCE: "true"
 

What changed

1 third-party action is referenced by a movable tag. Pin it to the commit SHA (Latchkey resolves and applies this automatically) so a repointed tag cannot change what runs.

What Latchkey heals here

This workflow has steps that commonly fail on transient issues (network, registries, flaky browsers). On Latchkey managed runners they are detected, retried, and self-healed instead of failing your build:

This workflow runs 1 job per trigger. On Latchkey the same minutes cost up to 58% less than GitHub-hosted, with zero queue time.

Actions used in this workflow