A quick guide on how to set up a GitHub actions workflow to publish a npm package including the provenance badge and section on npmjs.com.
So far, you may have published your npm packages by simply invoking npm publish
. Using GitHub actions provides a more elegant way and also enables you to get this nice green checkmark badge behind the version number…
…as well as the provenance section for your packages at npmjs.com…
This provides an extra level of security by providing evidence of your packages origin facilitating sigstore. In this article we’ll show how to set up a simple GitHub actions workflow to publish your package including the signed provenance details.
Table of Contents
Prerequisites
To follow along this guide, you should have:
Generating a token for publishing packages on npmjs.com
First, you will need an access token for npmjs.com. For that log in at npmjs.com and head over to the Access Tokens section of your account. Then create a Classic Token
of type Automation
with any name, e.g. gh-actions-publish
. On creation, the token value will be shown once and never again, so make sure you get the value and save it in a secure place. After all is done, you should see the newly created token in your accounts token list, like so.
Using this token will enable your GitHub actions workflow to publish new package versions including bypassing 2FA.
Storing the npm token on GitHub
Next, store the generated npm token value as a secret in your GitHub repository. For that, head over to Settings
-> Secrets and variables
and press New repository secret
. Enter a name and the token value.
Here the created secret has the name NPM_TOKEN
. Having that, it can be referenced in GitHub actions workflow definitions by ${{ secrets.NPM_TOKEN }}
.
Setting up a GitHub action workflow for publishing on npmjs.com
Next step is to add a GitHub actions workflow definition for publishing your npm package at npmjs.com to the repository. For that, add the following YAML as a new file in .github/workflows,
e.g. ./github/workflows/npm-publish.yml
, in the repository.
name: npm-publish
on:
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
id-token: write
steps:
- uses: actions/checkout@v3
- uses: actions/setup-node@v3
with:
node-version: '18.x'
registry-url: 'https://registry.npmjs.org'
- run: npm ci
- run: npm publish --provenance --access public
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
This action workflow named npm-publish
will deploy a new version of your package at the npm registry with provenance statements. If your package is private, you can omit the --access public
option in the publishing step.
Running the workflow
With workflow_dispatch:
in the on
section, the provided GitHub action does not have any automatic trigger and will only run when started manually. This might be preferred to have full control of when a new package version will be published. If you rather want the publish workflow to run automatically on certain events in your repo, check out the possible triggers for the on section.
To start the workflow manually and publish the package, simply run…
$ gh workflow run npm-publish
…in the project directory. Please make sure the version number of your package was updated and all changes are committed & pushed before invoking the publishing action.
After the workflow has completed successfully, you should see the new version published on npmjs.com including the checkmark badge behind the version and the provenance details section.
In the GitHub actions logs for the npm publish
step of the executed workflow you can also see that the provenance statement was signed and transferred to sigstore, like so…
That’s it.
Happy coding 🙂