menu
Setting GitHub as a trusted publisher for npm

Setting GitHub as a trusted publisher for npm

BackerLeader posted Originally published at stevefenton.co.uk 1 min read

So, stuff happened and npm has been updated to reduce the volume of stuff happening. In a world of SBOMs, SLSA, and supply chain attacks, it's time to get serious about publishing packages. In this case, that means using the new Trusted Publisher feature to connect GitHub (or GitLab) to npm.

Set the trusted publisher on npm

  1. Sign into npm
  2. Select the package you want to set up, for example astro-accelerator-utils
  3. Click Settings
  4. In the Trusted Publishers section, select your provider, in my case it's GitHub
  5. Enter you repository information:
    • Organization or user name, for example Steve-Fenton
    • Repository name, for example astro-accelerator-utils
    • The result should be that Steve-Fenton/astro-accelerator-utils matches your repo in GitHub
  6. Provide the workflow file name
    • This should match the workflow that will publish the package, in my case build-astro.yml
    • The file must be in .github/workflows/
  7. Click Set up connection

If you use environments, you can optionally limit publishing by environment.

Check you GitHub Action

In your permissions section, you need to allow id-token to be written.

permissions:
    id-token: write

You can then use the npm publish step in your workflow.

I conditionally publish based on the version number, so I only publish when the version number changes.

- name: Publish if version has been updated
    env:
        NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
    run: |
        PACKAGE_NAME=$(node -p "require('./package.json').name")
        LOCAL_VERSION=$(node -p "require('./package.json').version")
        REMOTE_VERSION=$(npm view $PACKAGE_NAME version || echo "0.0.0")

        if [ "$LOCAL_VERSION" != "$REMOTE_VERSION" ] && [ "$(printf '%s\n%s' "$REMOTE_VERSION" "$LOCAL_VERSION" | sort -V | tail -n1)" = "$LOCAL_VERSION" ]; then
        echo "Local version $LOCAL_VERSION is higher than remote version $REMOTE_VERSION. Publishing..."
        echo "//registry.npmjs.org/:_authToken=$NPM_AUTH_TOKEN" > ~/.npmrc
        npm publish --access public
        else
        echo "Version $LOCAL_VERSION is not newer than $REMOTE_VERSION. Skipping publish."
        fi

This is a more secure way to publish npm packages, but it's also easier because you don't need to keep updating tokens and secrets.

More Posts

The Audit Trail of Things: Using Hashgraph as a Digital Caliper for Provenance

Ken W. Algerverified - Apr 28

Local-First: The Browser as the Vault

Pocket Portfolio - Apr 20

Streamlining Your Next.js Project with Private GitHub/Gitlab Repositories as NPM Packages

Brian Baliach - Sep 10, 2025

Unlocking AI-Native Development: Key Highlights from GitHub Galaxy 2025

Sunny - Aug 10, 2025

GitHub workflows tips and tricks

Nicolas Fränkel - Aug 28, 2025
chevron_left

More From Steve Fenton

Origin Stories: Why I'm not cleaning bones like I thought I would

Roll up your chair: How one small change sparked a DevOps revolution

Modern developer experience has deep roots

Related Jobs

View all jobs →

Commenters (This Week)

10 comments
1 comment
1 comment

Contribute meaningful comments to climb the leaderboard and earn badges!