npm-trusted-publishing
关于
This Claude Skill helps developers set up secure npm publishing from GitHub Actions using OIDC trusted publishing, eliminating the need for long-lived NPM_TOKEN secrets. It provides configuration for provenance attestations and supports monorepo publishing workflows. Use this skill when creating or migrating a GitHub Actions workflow to publish npm packages with enhanced security.
快速安装
Claude Code
推荐/plugin add https://github.com/pr-pm/prpmgit clone https://github.com/pr-pm/prpm.git ~/.claude/skills/npm-trusted-publishing在 Claude Code 中复制并粘贴此命令以安装该技能
技能文档
NPM Trusted Publishing
Overview
Set up secure npm publishing from GitHub Actions using OIDC trusted publishing instead of long-lived NPM_TOKEN secrets.
When to Use
- Setting up npm publish workflow in GitHub Actions
- Migrating from NPM_TOKEN to trusted publishing
- Adding provenance attestations to packages
- Publishing monorepo packages
Quick Reference
| Requirement | Implementation |
|---|---|
| GitHub Actions permission | id-token: write |
| package.json field | repository.url matching GitHub repo |
| npm publish flag | --provenance |
| npmjs.com setup | Configure trusted publisher per package |
Implementation
1. GitHub Actions Workflow
permissions:
contents: write
id-token: write # Required for OIDC
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: "20"
registry-url: "https://registry.npmjs.org"
- run: npm ci
- run: npm run build
# No NODE_AUTH_TOKEN needed - uses OIDC
- run: npm publish --access public --provenance
2. package.json Repository Field
{
"name": "@scope/package",
"repository": {
"type": "git",
"url": "git+https://github.com/owner/repo.git",
"directory": "packages/subpackage"
}
}
Monorepo note: Include directory field for packages not at repo root.
3. npmjs.com Configuration
For each package, go to Settings > Publishing access and add:
- Repository:
owner/repo - Workflow:
publish.yml(or your workflow filename) - Environment: (optional)
Common Mistakes
| Mistake | Fix |
|---|---|
Missing --provenance flag | Add to npm publish command |
| Wrong URL format | Use git+https://github.com/... |
Missing id-token: write | Add to workflow permissions |
| Forgot npmjs.com setup | Configure trusted publisher in package settings |
| Using NODE_AUTH_TOKEN | Remove - OIDC handles auth |
| Outdated npm version | Add npm install -g npm@latest step (see below) |
npm Version Requirement
GitHub Actions runners may have an outdated npm version that doesn't properly support OIDC trusted publishing. This causes a confusing error:
npm notice Access token expired or revoked. Please try logging in again.
npm error code E404
npm error 404 Not Found - PUT https://registry.npmjs.org/@scope%2fpackage - Not found
Solution: Update npm to latest before publishing:
- uses: actions/setup-node@v4
with:
node-version: "20"
registry-url: "https://registry.npmjs.org"
- name: Update npm to latest
run: npm install -g npm@latest
- run: npm publish --access public --provenance
See GitHub Community Discussion #173102 for details.
Reference
GitHub 仓库
相关推荐技能
content-collections
元Content Collections 是一个 TypeScript 优先的构建工具,可将本地 Markdown/MDX 文件转换为类型安全的数据集合。它专为构建博客、文档站和内容密集型 Vite+React 应用而设计,提供基于 Zod 的自动模式验证。该工具涵盖从 Vite 插件配置、MDX 编译到生产环境部署的完整工作流。
evaluating-llms-harness
测试该Skill通过60+个学术基准测试(如MMLU、GSM8K等)评估大语言模型质量,适用于模型对比、学术研究及训练进度追踪。它支持HuggingFace、vLLM和API接口,被EleutherAI等行业领先机构广泛采用。开发者可通过简单命令行快速对模型进行多任务批量评估。
cloudflare-turnstile
元这个Skill提供完整的Cloudflare Turnstile集成知识,用于在表单、登录页面和API端点中实现无验证码的机器人防护。它支持React/Next.js/Hono等框架集成,涵盖令牌验证、错误代码调试和端到端测试等场景。通过运行后台不可见挑战,在保持用户体验的同时有效阻止自动化流量和垃圾信息。
webapp-testing
测试该Skill为开发者提供了基于Playwright的本地Web应用测试工具集,支持自动化测试前端功能、调试UI行为、捕获屏幕截图和查看浏览器日志。它包含管理服务器生命周期的辅助脚本,可直接作为黑盒工具运行而无需阅读源码。适用于需要快速验证本地Web应用界面和交互功能的开发场景。