Skip to content

Instantly share code, notes, and snippets.

@kettanaito

kettanaito/README.md

Last active March 30, 2026 19:32
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save kettanaito/debde3cabfae4f68d37cf0f8f3a6a666 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save kettanaito/debde3cabfae4f68d37cf0f8f3a6a666 to your computer and use it in GitHub Desktop.
Download ZIP
Publishing to npm in 2026
Raw
README.md

Prerequisites

  • Use Node.js v24. Trusted Publishing does not work on earlier versions of Node.js.

Steps

  1. Go to "Account > Access Tokens" and click "Generate Access Token".
  2. Give the new token "read and write" persmissions to "All packages".
  3. If you have 2FA enabled on npm (which you should), check the "Bypass 2FA" checkbox neatly hidden in the UI. Otherwise, npm will fail with an error demanding an OTP during automatic publishing.
  4. Create the token.
  5. Add it as a secret in your GitHub repo.
  6. Provide it to your release automation tooling.
  7. In your package.json make sure to set publishConfig.access to "public".
  8. (Optional) In your package.json make sure to set repository.url to the HTTPS URL of your repository. This is only needed if you're planning on using provenance.
  9. In your publishing action, make sure to set permissions.id-token to write on the job level. This is required for Trusted publishing.
jobs:
  publish:
    permissions:
      id-token: write
  1. In actions/setup-node, make sure to set always-auth and registry-url. Without these, npm will think you are running a tokenless flow and will fail since trusted publishing isn't configured for your package since to configure it you need to publish the package in the first place.
- name: Set up Node.js
  uses: actions/setup-node@v4
  with:
    node-version: 24
    always-auth: true
    registry-url: 'https://registry.npmjs.org'
  1. Publish the first version of the package.
  2. Delete the generated access token from NPM.
  3. Delete the npm token secret from GitHub.
  4. Delete the always-auth and registry-url from the actions/setup-node action in your publishing workflow. If you don't, npm will try authenticating and will fail with 404 meaning 403, meaning it thinks you want a token-based workflow.
  5. Go to your package on npmjs.com, then "Settings".
  6. In the "Trusted Publisher" section, fill in your GitHub username/org and the repo name. Fill in the GitHub actions workflow name. Watch out for typos.
  7. Apply changes.
  8. In the same package settings, go to the "Publishing access" and set it to require 2FA.
  9. Apply changes.
  10. Enjoy life.
@ryan-zayne
Copy link
Copy Markdown

ryan-zayne commented Mar 30, 2026

Wow, all these steps for every single package I want to publish? Darn...๐Ÿ˜…

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment