npm-trusted-publishing
について
このClaudeスキルは、OIDC信頼公開を利用してGitHub Actionsから安全なnpm公開を設定する開発者を支援し、長期間有効なNPM_TOKENシークレットの必要性を排除します。プロベナンス証明の設定を提供し、モノレポ公開ワークフローをサポートします。セキュリティを強化したnpmパッケージ公開のためのGitHub Actionsワークフローを作成または移行する際に、このスキルをご利用ください。
クイックインストール
Claude Code
推奨/plugin add https://github.com/pr-pm/prpmgit clone https://github.com/pr-pm/prpm.git ~/.claude/skills/npm-trusted-publishingこのコマンドをClaude Codeにコピー&ペーストしてスキルをインストールします
ドキュメント
NPM Trusted Publishing
Overview
Set up secure npm publishing from GitHub Actions using OIDC trusted publishing instead of long-lived NPM_TOKEN secrets.
When to Use
- Setting up npm publish workflow in GitHub Actions
- Migrating from NPM_TOKEN to trusted publishing
- Adding provenance attestations to packages
- Publishing monorepo packages
Quick Reference
| Requirement | Implementation |
|---|---|
| GitHub Actions permission | id-token: write |
| package.json field | repository.url matching GitHub repo |
| npm publish flag | --provenance |
| npmjs.com setup | Configure trusted publisher per package |
Implementation
1. GitHub Actions Workflow
permissions:
contents: write
id-token: write # Required for OIDC
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
registry-url: "https://registry.npmjs.org"
- run: npm ci
- run: npm run build
# No NODE_AUTH_TOKEN needed - uses OIDC
- run: npm publish --access public --provenance
2. package.json Repository Field
{
"name": "@scope/package",
"repository": {
"type": "git",
"url": "git+https://github.com/owner/repo.git",
"directory": "packages/subpackage"
}
}
Monorepo note: Include directory field for packages not at repo root.
3. npmjs.com Configuration
For each package, go to Settings > Publishing access and add:
- Repository:
owner/repo - Workflow:
publish.yml(or your workflow filename) - Environment: (optional)
Common Mistakes
| Mistake | Fix |
|---|---|
Missing --provenance flag | Add to npm publish command |
| Wrong URL format | Use git+https://github.com/... |
Missing id-token: write | Add to workflow permissions |
| Forgot npmjs.com setup | Configure trusted publisher in package settings |
| Using NODE_AUTH_TOKEN | Remove - OIDC handles auth |
| Outdated npm version | Add npm install -g npm@latest step (see below) |
npm Version Requirement
GitHub Actions runners may have an outdated npm version that doesn't properly support OIDC trusted publishing. This causes a confusing error:
npm notice Access token expired or revoked. Please try logging in again.
npm error code E404
npm error 404 Not Found - PUT https://registry.npmjs.org/@scope%2fpackage - Not found
Solution: Update npm to latest before publishing:
- uses: actions/setup-node@v4
with:
node-version: "20"
registry-url: "https://registry.npmjs.org"
- name: Update npm to latest
run: npm install -g npm@latest
- run: npm publish --access public --provenance
See GitHub Community Discussion #173102 for details.
Reference
GitHub リポジトリ
関連スキル
content-collections
メタThis skill provides a production-tested setup for Content Collections, a TypeScript-first tool that transforms Markdown/MDX files into type-safe data collections with Zod validation. Use it when building blogs, documentation sites, or content-heavy Vite + React applications to ensure type safety and automatic content validation. It covers everything from Vite plugin configuration and MDX compilation to deployment optimization and schema validation.
evaluating-llms-harness
テストThis Claude Skill runs the lm-evaluation-harness to benchmark LLMs across 60+ standardized academic tasks like MMLU and GSM8K. It's designed for developers to compare model quality, track training progress, or report academic results. The tool supports various backends including HuggingFace and vLLM models.
cloudflare-turnstile
メタThis skill provides comprehensive guidance for implementing Cloudflare Turnstile as a CAPTCHA-alternative bot protection system. It covers integration for forms, login pages, API endpoints, and frameworks like React/Next.js/Hono, while handling invisible challenges that maintain user experience. Use it when migrating from reCAPTCHA, debugging error codes, or implementing token validation and E2E tests.
webapp-testing
テストThis Claude Skill provides a Playwright-based toolkit for testing local web applications through Python scripts. It enables frontend verification, UI debugging, screenshot capture, and log viewing while managing server lifecycles. Use it for browser automation tasks but run scripts directly rather than reading their source code to avoid context pollution.