{"id":15020778,"url":"https://github.com/electron/semantic-release-npm-cfa","last_synced_at":"2025-10-01T12:31:11.921Z","repository":{"id":65976700,"uuid":"173402769","full_name":"electron/semantic-release-npm-cfa","owner":"electron","description":":ship: semantic-release plugin to publish a npm package using CFA for OTP","archived":false,"fork":true,"pushed_at":"2024-10-04T05:40:22.000Z","size":3077,"stargazers_count":2,"open_issues_count":1,"forks_count":2,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-10-30T00:00:44.617Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"semantic-release/npm","license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/electron.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2019-03-02T04:24:45.000Z","updated_at":"2024-10-04T05:39:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"ab2ce993-b78b-4ffd-92e4-90692992c39d","html_url":"https://github.com/electron/semantic-release-npm-cfa","commit_stats":{"total_commits":372,"total_committers":35,"mean_commits":"10.628571428571428","dds":0.6532258064516129,"last_synced_commit":"3550fd63aa90c01ea0724a7c871bc21a9eaf63cf"},"previous_names":[],"tags_count":58,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electron%2Fsemantic-release-npm-cfa","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electron%2Fsemantic-release-npm-cfa/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electron%2Fsemantic-release-npm-cfa/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/electron%2Fsemantic-release-npm-cfa/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/electron","download_url":"https://codeload.github.com/electron/semantic-release-npm-cfa/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":234794764,"owners_count":18887800,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-09-24T19:55:37.128Z","updated_at":"2025-10-01T12:31:11.545Z","avatar_url":"https://github.com/electron.png","language":"JavaScript","funding_links":[],"categories":[],"sub_categories":[],"readme":"# @continuous-auth/semantic-release-npm\n\n[**semantic-release**](https://github.com/semantic-release/semantic-release) plugin to publish a [npm](https://www.npmjs.com) package using [CFA](https://github.com/continuousauth/web) for 2FA codes.\n\n[![npm latest version](https://img.shields.io/npm/v/@continuous-auth/semantic-release-npm/latest.svg)](https://www.npmjs.com/package/@continuous-auth/semantic-release-npm)\n[![npm next version](https://img.shields.io/npm/v/@contiuous-auth/semantic-release-npm/next.svg)](https://www.npmjs.com/package/@continuous-auth/semantic-release-npm)\n\n| Step | Description |\n| ------------------ | -------------------------------------------------------------------------------------------------------------------------------- |\n| `verifyConditions` | Verify the presence of the `NPM_TOKEN` environment variable, or an `.npmrc` file, and verify the authentication method is valid. |\n| `prepare` | Update the `package.json` version and [create](https://docs.npmjs.com/cli/pack) the npm package tarball. |\n| `addChannel` | [Add a release to a dist-tag](https://docs.npmjs.com/cli/dist-tag). |\n| `publish` | [Publish the npm package](https://docs.npmjs.com/cli/publish) to the registry. |\n\n## Install\n\n```bash\n$ npm install @continuous-auth/semantic-release-npm -D\n```\n\n## Usage\n\nThe plugin can be configured in the [**semantic-release** configuration file](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/configuration.md#configuration):\n\n```json\n{\n \"plugins\": [\"@semantic-release/commit-analyzer\", \"@semantic-release/release-notes-generator\", \"@continuous-auth/semantic-release-npm\"]\n}\n```\n\n## Configuration\n\n### npm registry authentication\n\nThe npm [token](https://docs.npmjs.com/about-access-tokens) authentication configuration is **required** and can be set via [environment variables](#environment-variables).\n\nAutomation tokens are recommended since they can be used for an automated workflow, even when your account is configured to use the [`auth-and-writes` level of 2FA](https://docs.npmjs.com/about-two-factor-authentication#authorization-and-writes).\n\n### npm provenance\n\nIf you are publishing to the official registry and your pipeline is on a [provider that is supported by npm for provenance](https://docs.npmjs.com/generating-provenance-statements#provenance-limitations), npm can be configured to [publish with provenance](https://docs.npmjs.com/generating-provenance-statements).\n\nSince semantic-release wraps the npm publish command, configuring provenance is not exposed directly.\nInstead, provenance can be configured through the [other configuration options exposed by npm](https://docs.npmjs.com/generating-provenance-statements#using-third-party-package-publishing-tools).\nProvenance applies specifically to publishing, so our recommendation is to configure under `publishConfig` within the `package.json`.\n\n#### npm provenance on GitHub Actions\n\nFor package provenance to be signed on the GitHub Actions CI the following permission is required\nto be enabled on the job:\n\n```yaml\npermissions:\n id-token: write # to enable use of OIDC for npm provenance\n```\n\nIt's worth noting that if you are using semantic-release to its fullest with a GitHub release, GitHub comments,\nand other features, then [more permissions are required](https://github.com/semantic-release/github#github-authentication) to be enabled on this job:\n\n```yaml\npermissions:\n contents: write # to be able to publish a GitHub release\n issues: write # to be able to comment on released issues\n pull-requests: write # to be able to comment on released pull requests\n id-token: write # to enable use of OIDC for npm provenance\n```\n\nRefer to the [GitHub Actions recipe for npm package provenance](https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions#.github-workflows-release.yml-configuration-for-node-projects) for the full CI job's YAML code example.\n\n### Environment variables\n\n| Variable | Description |\n| ----------- | ----------------------------------------------------------------------------------------------------------------------------- |\n| `NPM_TOKEN` | Npm token created via [npm token create](https://docs.npmjs.com/getting-started/working_with_tokens#how-to-create-new-tokens) |\n| `CFA_PROJECT_ID` | Project ID on CFA |\n| `CFA_SECRET` | Secret configured on CFA for this repository |\n\n### Options\n\n| Options | Description | Default |\n| ------------ | ------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- |\n| `npmPublish` | Whether to publish the `npm` package to the registry. If `false` the `package.json` version will still be updated. | `false` if the `package.json` [private](https://docs.npmjs.com/files/package.json#private) property is `true`, `true` otherwise. |\n| `pkgRoot` | Directory path to publish. | `.` |\n| `tarballDir` | Directory path in which to write the package tarball. If `false` the tarball is not be kept on the file system. | `false` |\n\n**Note**: The `pkgRoot` directory must contain a `package.json`. The version will be updated only in the `package.json` and `npm-shrinkwrap.json` within the `pkgRoot` directory.\n\n**Note**: If you use a [shareable configuration](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/shareable-configurations.md#shareable-configurations) that defines one of these options you can set it to `false` in your [**semantic-release** configuration](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/configuration.md#configuration) in order to use the default value.\n\n### npm configuration\n\nThe plugin uses the [`npm` CLI](https://github.com/npm/cli) which will read the configuration from [`.npmrc`](https://docs.npmjs.com/files/npmrc). See [`npm config`](https://docs.npmjs.com/misc/config) for the option list.\n\nThe [`registry`](https://docs.npmjs.com/misc/registry) can be configured via the npm environment variable `NPM_CONFIG_REGISTRY` and will take precedence over the configuration in `.npmrc`.\n\nThe [`registry`](https://docs.npmjs.com/misc/registry) and [`dist-tag`](https://docs.npmjs.com/cli/dist-tag) can be configured under `publishConfig` in the `package.json`:\n\n```json\n{\n \"publishConfig\": {\n \"registry\": \"https://registry.npmjs.org/\",\n \"tag\": \"latest\"\n }\n}\n```\n\n**Notes**:\n\n- The presence of an `.npmrc` file will override any specified environment variables.\n- The presence of `registry` or `dist-tag` under `publishConfig` in the `package.json` will take precedence over the configuration in `.npmrc` and `NPM_CONFIG_REGISTRY`\n\n### Examples\n\nThe `npmPublish` and `tarballDir` option can be used to skip the publishing to the `npm` registry and instead, release the package tarball with another plugin. For example with the [@semantic-release/github](https://github.com/semantic-release/github) plugin:\n\n```json\n{\n \"plugins\": [\n \"@semantic-release/commit-analyzer\",\n \"@semantic-release/release-notes-generator\",\n [\n \"@continuous-auth/semantic-release-npm\",\n {\n \"npmPublish\": false,\n \"tarballDir\": \"dist\"\n }\n ],\n [\n \"@semantic-release/github\",\n {\n \"assets\": \"dist/*.tgz\"\n }\n ]\n ]\n}\n```\n\nWhen publishing from a sub-directory with the `pkgRoot` option, the `package.json` and `npm-shrinkwrap.json` updated with the new version can be moved to another directory with a `postversion`. For example with the [@semantic-release/git](https://github.com/semantic-release/git) plugin:\n\n```json\n{\n \"plugins\": [\n \"@semantic-release/commit-analyzer\",\n \"@semantic-release/release-notes-generator\",\n [\n \"@continuous-auth/semantic-release-npm\",\n {\n \"pkgRoot\": \"dist\"\n }\n ],\n [\n \"@semantic-release/git\",\n {\n \"assets\": [\"package.json\", \"npm-shrinkwrap.json\"]\n }\n ]\n ]\n}\n```\n\n```json\n{\n \"scripts\": {\n \"postversion\": \"cp -r package.json .. \u0026\u0026 cp -r npm-shrinkwrap.json ..\"\n }\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felectron%2Fsemantic-release-npm-cfa","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Felectron%2Fsemantic-release-npm-cfa","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Felectron%2Fsemantic-release-npm-cfa/lists"}