npm-trusted-publishing
Installation
SKILL.md
npm Trusted Publishing (OIDC)
Configure and debug secure, tokenless npm publishing from GitHub Actions using OpenID Connect (OIDC) and Provenance.
Core Requirements
Trusted Publishing eliminates the need for long-lived NPM_TOKEN secrets by using short-lived, cryptographically-signed tokens.
1. GitHub Actions Permissions
The workflow MUST have explicit permissions to fetch the OIDC ID token.
permissions:
id-token: write # Required for OIDC
contents: read # Required for checkout
2. Node.js Version
Trusted Publishing requires Node.js 22.14.0 or higher and npm 11.5.1 or higher.