Skip to content

Instantly share code, notes, and snippets.

@omrimor

omrimor/README.md

Forked from kettanaito/README.md
Created April 12, 2026 09:30
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save omrimor/8ec5c6f1a6966faf6dec826c79405274 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save omrimor/8ec5c6f1a6966faf6dec826c79405274 to your computer and use it in GitHub Desktop.
Download ZIP
Publishing to npm in 2026
Raw
README.md

Prerequisites

  • Use Node.js v24. Trusted Publishing does not work on earlier versions of Node.js.

Steps

  1. Go to "Account > Access Tokens" and click "Generate Access Token".
  2. Give the new token "read and write" persmissions to "All packages".
  3. If you have 2FA enabled on npm (which you should), check the "Bypass 2FA" checkbox neatly hidden in the UI. Otherwise, npm will fail with an error demanding an OTP during automatic publishing.
  4. Create the token.
  5. Add it as a secret in your GitHub repo.
  6. Provide it to your release automation tooling.
  7. In your package.json make sure to set publishConfig.access to "public".
  8. (Optional) In your package.json make sure to set repository.url to the HTTPS URL of your repository. This is only needed if you're planning on using provenance.
  9. In your publishing action, make sure to set permissions.id-token to write on the job level. This is required for Trusted publishing.
jobs:
  publish:
    permissions:
      id-token: write
  1. In actions/setup-node, make sure to set always-auth and registry-url. Without these, npm will think you are running a tokenless flow and will fail since trusted publishing isn't configured for your package since to configure it you need to publish the package in the first place.
- name: Set up Node.js
  uses: actions/setup-node@v4
  with:
    node-version: 24
    always-auth: true
    registry-url: 'https://registry.npmjs.org'
  1. Publish the first version of the package.
  2. Delete the generated access token from NPM.
  3. Delete the npm token secret from GitHub.
  4. Delete the always-auth and registry-url from the actions/setup-node action in your publishing workflow. If you don't, npm will try authenticating and will fail with 404 meaning 403, meaning it thinks you want a token-based workflow.
  5. Go to your package on npmjs.com, then "Settings".
  6. In the "Trusted Publisher" section, fill in your GitHub username/org and the repo name. Fill in the GitHub actions workflow name. Watch out for typos.
  7. Apply changes.
  8. In the same package settings, go to the "Publishing access" and set it to require 2FA.
  9. Apply changes.
  10. Enjoy life.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment