{"id":15825346,"url":"https://github.com/js-devtools/npm-publish","last_synced_at":"2026-01-07T21:17:34.508Z","repository":{"id":37710831,"uuid":"235231513","full_name":"JS-DevTools/npm-publish","owner":"JS-DevTools","description":"GitHub Action to publish to NPM","archived":false,"fork":false,"pushed_at":"2025-01-27T21:55:39.000Z","size":2143,"stargazers_count":634,"open_issues_count":3,"forks_count":78,"subscribers_count":5,"default_branch":"main","last_synced_at":"2025-05-05T19:10:57.427Z","etag":null,"topics":["github-action","javascript","nodejs","npm","npm-publish","typescript","version-bump","version-checker"],"latest_commit_sha":null,"homepage":"https://jstools.dev/npm-publish","language":"TypeScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/JS-DevTools.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-21T01:25:58.000Z","updated_at":"2025-04-05T01:03:30.000Z","dependencies_parsed_at":"2024-01-01T20:25:38.118Z","dependency_job_id":"9f11efc2-a6bb-477e-9853-9eed691d2d16","html_url":"https://github.com/JS-DevTools/npm-publish","commit_stats":{"total_commits":232,"total_committers":17,"mean_commits":"13.647058823529411","dds":0.4267241379310345,"last_synced_commit":"e06fe3ef65499b38eb12224f2a60979f6d797330"},"previous_names":[],"tags_count":40,"template":false,"template_full_name":"JS-DevTools/template-node-typescript","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JS-DevTools%2Fnpm-publish","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JS-DevTools%2Fnpm-publish/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JS-DevTools%2Fnpm-publish/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/JS-DevTools%2Fnpm-publish/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/JS-DevTools","download_url":"https://codeload.github.com/JS-DevTools/npm-publish/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254028511,"owners_count":22002275,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["github-action","javascript","nodejs","npm","npm-publish","typescript","version-bump","version-checker"],"created_at":"2024-10-05T09:08:18.337Z","updated_at":"2026-01-07T21:17:34.502Z","avatar_url":"https://github.com/JS-DevTools.png","language":"TypeScript","readme":"# Fast, easy publishing to NPM\n\n[![Build Status](https://github.com/JS-DevTools/npm-publish/workflows/CI-CD/badge.svg)](https://github.com/JS-DevTools/npm-publish/actions)\n[![Coverage Status](https://coveralls.io/repos/github/JS-DevTools/npm-publish/badge.svg?branch=main)](https://coveralls.io/github/JS-DevTools/npm-publish)\n[![npm](https://img.shields.io/npm/v/@jsdevtools/npm-publish.svg)](https://www.npmjs.com/package/@jsdevtools/npm-publish)\n[![License](https://img.shields.io/npm/l/@jsdevtools/npm-publish.svg)](LICENSE)\n[![Buy us a tree](https://img.shields.io/badge/Treeware-%F0%9F%8C%B3-lightgreen)](https://plant.treeware.earth/JS-DevTools/npm-publish)\n\nPublish packages to npm automatically in GitHub Actions whenever a change to your package's `version` field is detected.\n\n- [Change log][releases]\n- [v3 to v4 migration guide](#v3-to-v4)\n- [v2 to v4 migration guide](#v2-to-v4)\n- [v1 to v4 migration guide](#v1-to-v4)\n\n[releases]: https://github.com/JS-DevTools/npm-publish/releases\n\n## ⚠️ You probably don't need this!\n\nThis action automates a specific kind of continuous deployment to `npm`, where you want to publish whenever the `version` field in `package.json` changes on your `main` branch. If you prefer to publish on tags (for example, those created by the `npm version` command), or are using an alternative package manager like `pnpm`, you don't need this action! Simply configure `setup-node` with its `registry-url` option and call your package manager's `publish` command directly. This is more secure than relying on a third-party action like this one, and is more customizable.\n\n```yaml\n# Publish to npm whenever a tag is pushed\nname: Publish to npm\non:\n push:\n tags: v*\njobs:\n build:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n id-token: write\n steps:\n - uses: actions/checkout@v5\n - uses: actions/setup-node@v5\n with:\n node-version: \"24\"\n registry-url: \"https://registry.npmjs.org\"\n - run: npm ci\n - run: npm test\n - run: npm publish --provenance --ignore-scripts\n env:\n NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}\n```\n\nSee GitHub's [Node.js publishing][] guide and npm's [trusted publishing][] docs for more details and examples.\n\n[Node.js publishing]: https://docs.github.com/en/actions/tutorials/publish-packages/publish-nodejs-packages\n[trusted publishing]: https://docs.npmjs.com/trusted-publishers#supported-cicd-providers\n\n## Features\n\n- 🧠 **Smart**\n Only publishes if the version number in `package.json` differs from the latest on npm.\n\n- 🛠 **Configurable**\n Customize the version-checking behavior, the registry URL, and path of your package.\n\n- 🔐 **Secure**\n Keeps your npm authentication token secret. Doesn't read nor write to `~/.npmrc`.\n\n- ⚡ **Fast**\n 100% JavaScript (which is faster than Docker) and bundled to optimize loading time.\n\n- 📤 **Outputs**\n Exposes the old and new version numbers, and the type of change (major, minor, patch, etc.) as variables that you can use in your workflow.\n\n## Usage\n\nThis package can be used three different ways:\n\n- 🤖 A [**GitHub Action**](#github-action) as part of your CI/CD process\n\n- 🧩 A [**function**](#javascript-api) that you call in your JavaScript code\n\n- 🖥 A [**CLI**](#command-line-interface) that you run in your terminal\n\n## GitHub Action\n\nTo use the GitHub Action, you'll need to add it as a step in your [workflow file][]. By default, the only thing you need to do is set the `token` parameter to your [npm authentication token][].\n\n```yaml\non:\n push:\n branches: main\n\njobs:\n publish:\n runs-on: ubuntu-latest\n steps:\n - uses: actions/checkout@v5\n - uses: actions/setup-node@v5\n with:\n node-version: \"24\"\n - run: npm ci\n - run: npm test\n - uses: JS-DevTools/npm-publish@v4\n with:\n token: ${{ secrets.NPM_TOKEN }}\n```\n\nIf you have [trusted publishing][] configured for your package and use `npm@\u003e=11.5.1`, you can omit the `token` input and use OIDC instead.\n\n\u003e [!IMPORTANT]\n\u003e If you're publishing a private package, you will still need to provide a read-only `token` so the action can read existing versions from the registry before publish.\n\n```diff\n jobs:\n publish:\n runs-on: ubuntu-latest\n+ permissions:\n+ contents: read\n+ id-token: write # required to use OIDC\n steps:\n - uses: actions/checkout@v5\n - uses: actions/setup-node@v5\n with:\n node-version: \"24\" # includes npm@11.6.0\n - run: npm ci\n - run: npm test\n - uses: JS-DevTools/npm-publish@v4\n- with:\n- token: ${{ secrets.NPM_TOKEN }}\n```\n\nYou can also publish to third-party registries. For example, to publish to the [GitHub Package Registry][], set `token` to `secrets.GITHUB_TOKEN` and `registry` to `https://npm.pkg.github.com`:\n\n```yaml\non:\n push:\n branches: main\n\njobs:\n publish:\n runs-on: ubuntu-latest\n permissions:\n contents: read\n packages: write # allow GITHUB_TOKEN to publish packages\n steps:\n - uses: actions/checkout@v5\n - uses: actions/setup-node@v5\n with:\n node-version: \"24\"\n - run: npm ci\n - run: npm test\n - uses: JS-DevTools/npm-publish@v4\n with:\n token: ${{ secrets.GITHUB_TOKEN }}\n registry: \"https://npm.pkg.github.com\"\n```\n\n[workflow file]: https://help.github.com/en/actions/automating-your-workflow-with-github-actions\n[npm authentication token]: https://docs.npmjs.com/creating-and-viewing-authentication-tokens\n[GitHub Package Registry]: https://docs.github.com/en/packages/working-with-a-github-packages-registry/working-with-the-npm-registry\n[good security practices]: https://docs.github.com/en/actions/reference/security/secure-use#using-third-party-actions\n\n### Action usage\n\nYou can set any or all of the following input parameters using `with`:\n\n| Name | Type | Default | Description |\n| ---------------- | ---------------------- | ----------------------------- | -------------------------------------------------------------------------------- |\n| `token` | string | unspecified | Registry authentication token, not required if using [trusted publishing][]³ |\n| `registry`¹ | string | `https://registry.npmjs.org/` | Registry URL to use. |\n| `package` | string | Current working directory | Path to a package directory, a `package.json`, or a packed `.tgz` to publish. |\n| `tag`¹ | string | `latest` | [Distribution tag][npm-tag] to publish to. |\n| `access`¹ | `public`, `restricted` | [npm defaults][npm-access] | Whether the package should be publicly visible or restricted. |\n| `provenance`¹ ² | boolean | `false` | Run `npm publish` with the `--provenance` flag to add [provenance][] statements. |\n| `strategy` | `all`, `upgrade` | `all` | Use `all` to publish all unique versions, `upgrade` for only semver upgrades. |\n| `ignore-scripts` | boolean | `true` | Run `npm publish` with the `--ignore-scripts` flag as a security precaution. |\n| `dry-run` | boolean | `false` | Run `npm publish` with the `--dry-run` flag to prevent publication. |\n\n1. May be specified using `publishConfig` in `package.json`.\n2. Provenance requires npm `\u003e=9.5.0`.\n3. Trusted publishing npm `\u003e=11.5.1` and must be run from a supported cloud provider.\n\n[npm-tag]: https://docs.npmjs.com/cli/v9/commands/npm-publish#tag\n[npm-access]: https://docs.npmjs.com/cli/v9/commands/npm-publish#access\n[provenance]: https://docs.npmjs.com/generating-provenance-statements\n\n### Action output\n\nnpm-publish exposes several output variables, which you can use in later steps of your workflow if you provide an `id` for the npm-publish step.\n\n```diff\n steps:\n - uses: JS-DevTools/npm-publish@v4\n+ id: publish\n with:\n token: ${{ secrets.NPM_TOKEN }}\n\n+ - if: ${{ steps.publish.outputs.type }}\n+ run: echo \"Version changed!\"\n```\n\n| Name | Type | Description |\n| ------------- | ------- | ------------------------------------------------------------------------------------------------------------- |\n| `id` | string | Package identifier of the release: `${name}@${version}` or empty if no release. |\n| `type` | string | [Semver release type][], `initial` if first release, `different` if other change, or empty if no release. |\n| `name` | string | Name of the package. |\n| `version` | string | Version of the package. |\n| `old-version` | string | Previously published version on `tag` or empty if no previous version on tag. |\n| `tag` | string | [Distribution tag][npm-tag] the package was published to. |\n| `access` | string | [Access level][npm-access] the package was published with, or `default` if scoped-package defaults were used. |\n| `registry` | string | Registry the package was published to. |\n| `dry-run` | boolean | Whether `npm publish` was run in \"dry run\" mode. |\n\n[semver release type]: https://github.com/npm/node-semver#release_types\n\n## JavaScript API\n\nTo use npm-package in your JavaScript code, you'll need to install it using [npm][] or other package manager of choice:\n\n```bash\nnpm install --save-dev @jsdevtools/npm-publish\n```\n\nYou can then import it and use it in your code like this:\n\n```javascript\nimport { npmPublish } from \"@jsdevtools/npm-publish\";\n\n// Run npm-publish with all defaults\nawait npmPublish({ token: \"YOUR_NPM_AUTH_TOKEN_HERE\" });\n```\n\n[npm]: https://docs.npmjs.com/about-npm/\n\n### API usage\n\nAs shown in the example above, you should pass an options object to the `npmPublish` function. In TypeScript, the `Options` interface is available as an import.\n\n```ts\nimport type { Options } from \"@jsdevtools/npm-publish\";\n```\n\n| Name | Type | Default | Description |\n| -------------------- | ---------------------- | ----------------------------- | -------------------------------------------------------------------------------- |\n| `token` | string | **required** | Registry authentication token, not required if using [trusted publishing][]³ |\n| `registry`¹ | string, `URL` | `https://registry.npmjs.org/` | Registry URL to use. |\n| `package` | string | Current working directory | Path to a package directory, a `package.json`, or a packed `.tgz` to publish. |\n| `tag`¹ | string | `latest` | [Distribution tag][npm-tag] to publish to. |\n| `access`¹ | `public`, `restricted` | [npm defaults][npm-access] | Whether the package should be publicly visible or restricted. |\n| `provenance`¹ ² | boolean | `false` | Run `npm publish` with the `--provenance` flag to add [provenance][] statements. |\n| `strategy` | `all`, `upgrade` | `all` | Use `all` to publish all unique versions, `upgrade` for only semver upgrades. |\n| `ignoreScripts` | boolean | `true` | Run `npm publish` with the `--ignore-scripts` flag as a security precaution. |\n| `dryRun` | boolean | `false` | Run `npm publish` with the `--dry-run` flag to prevent publication. |\n| `logger` | object | `undefined` | Logging interface with `debug`, `info`, and `error` log methods. |\n| `temporaryDirectory` | string | `os.tmpdir()` | Temporary directory to hold a generated `.npmrc` file |\n\n1. May be specified using `publishConfig` in `package.json`.\n2. Provenance requires npm `\u003e=9.5.0`.\n3. Trusted publishing npm `\u003e=11.5.1` and must be run from a supported cloud provider.\n\n### API output\n\nThe `npmPublish()` function returns a promise of a `Results` object. In TypeScript, the `Results` interface is available as an import.\n\n```ts\nimport type { Results } from \"@jsdevtools/npm-publish\";\n```\n\n| Name | Type | Description |\n| ------------ | --------------- | --------------------------------------------------------------------------------------------------------------- |\n| `id` | Optional string | Package identifier of the release: `${name}@${version}` or `undefined` if no release. |\n| `type` | Optional string | [Semver release type][], `initial` if first release, `different` if other change, or `undefined` if no release. |\n| `name` | string | Name of the package. |\n| `version` | string | Version of the package. |\n| `oldVersion` | Optional string | Previously published version on `tag` or `undefined` if no previous version. |\n| `tag` | string | [Distribution tag][npm-tag] that the package was published to. |\n| `access` | Optional string | [Access level][npm-access] the package was published with, or `undefined` if scoped-package defaults were used. |\n| `registry` | `URL` | Registry the package was published to. |\n| `dryRun` | boolean | Whether `npm publish` was run in \"dry run\" mode. |\n\n## Command Line Interface\n\nYou can also use `npm-publish` as a command-line tool in your terminal.\n\n```bash\nnpm install --save-dev @jsdevtools/npm-publish\n```\n\nYou can then use it in your terminal or in `npm run` scripts.\n\n```bash\nnpx npm-publish --token YOUR_NPM_AUTH_TOKEN_HERE\n```\n\nYou can customize your call with options to change the registry, package, etc.\n\n```bash\nnpx npm-publish --token YOUR_NPM_AUTH_TOKEN_HERE --registry http://example.com ./path/to/package\n```\n\n### Options\n\nRun `npm-publish --help` to see the full list of options available.\n\n```text\nUsage:\n\n npm-publish \u003coptions\u003e [package]\n\nArguments:\n\n package The path to the package to publish.\n May be a directory, package.json, or .tgz file.\n Defaults to the package in the current directory.\n\nOptions:\n\n --token \u003ctoken\u003e npm authentication token.\n Not required if using trusted publishing.\n See npm documentation for details.\n\n --registry \u003curl\u003e Registry to read from and write to.\n Defaults to \"https://registry.npmjs.org/\".\n\n --tag \u003ctag\u003e The distribution tag to check against and publish to.\n Defaults to \"latest\".\n\n --access \u003caccess\u003e Package access, may be \"public\" or \"restricted\".\n See npm documentation for details.\n\n --provenance Publish with provenance statements.\n See npm documentation for details.\n\n --strategy \u003cstrategy\u003e Publish strategy, may be \"all\" or \"upgrade\".\n Defaults to \"all\", see documentation for details.\n\n --no-ignore-scripts Allow lifecycle scripts, which are disabled by default\n as a security precaution. Defaults to false.\n\n --dry-run Do not actually publish anything.\n --quiet Only print errors.\n --debug Print debug logs.\n\n -v, --version Print the version number.\n -h, --help Show usage text.\n\nExamples:\n\n $ npm-publish --token abc123 ./my-package\n```\n\n## Migration guides\n\nMajor releases of the action and libraries may contain breaking changes, documented here.\nFor more detailed change logs, see [releases][].\n\n### v3 to v4\n\nThe `v4` release does not require any changes to how you use the `npm-publish` action from `v3`. The action was updated to Node 24 / npm 11.\n\nIn the library and CLI, support for Node 16 and Node 18 was dropped in `v4`, and the library API was switched to ESM-only. Library users should switch to ESM or update Node to a version with support for [loading ES modules using `require`][esm-require].\n\n[esm-require]: https://nodejs.org/api/modules.html#loading-ecmascript-modules-using-require\n\n### v2 to v4\n\nThe `v4` release does not require any changes to how you use the `npm-publish` action from `v2`. The action was updated to Node 20 in `v3` due to GitHub Action's [deprecation of Node 16][node16-deprecation], and then updated to Node 24 in `v4`.\n\nIn the library and CLI, support for Node 16 and Node 18 was dropped in `v4`, and the library API was switched to ESM-only. Library users should switch to ESM or update Node to a version with support for [loading ES modules using `require`][esm-require].\n\n[node16-deprecation]: https://github.blog/changelog/2023-09-22-github-actions-transitioning-from-node-16-to-node-20/\n\n### v1 to v4\n\nThe v2 release made several breaking changes to inputs, outputs, and behaviors that were present in `v1`. The examples below focus on the action, but the same changes are applicable to the library and CLI, too.\n\nIn the library and CLI, support for Node 16 and Node 18 was dropped in `v4`, and the library API was switched to ESM-only. Library users should switch to ESM or update Node to a version with support for [loading ES modules using `require`][esm-require].\n\n#### option changes\n\nThe `check-version` and `greater-version-only` boolean options were replaced with the `strategy` option:\n\n- `strategy: all` (default) will publish any version that does not yet exist in the registry\n- `strategy: upgrade` will publish only if the version is a semver upgrade of the requested `dist-tag`\n\n```diff\n with:\n token: ${{ secrets.NPM_TOKEN }}\n- check-version: true\n- greater-version-only: false\n+ strategy: all\n\n with:\n token: ${{ secrets.NPM_TOKEN }}\n- check-version: true\n- greater-version-only: true\n+ strategy: upgrade\n```\n\n`check-version: false` has been removed. If you only need to publish, without first checking whether the version exists in the registry, you can [use `npm` directly][publishing-nodejs-packages] instead:\n\n```diff\n - uses: actions/setup-node@v5\n with:\n node-version: '24'\n+ registry-url: https://registry.npmjs.org/\n\n- - uses: JS-DevTools/npm-publish@v1\n- with:\n- token: ${{ secrets.NPM_TOKEN }}\n- check-version: false\n+ - run: npm publish\n+ env:\n+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}\n```\n\n[publishing-nodejs-packages]: https://docs.github.com/actions/publishing-packages/publishing-nodejs-packages\n\n#### output changes\n\nThe `type` output is now an empty string instead of `'none'` when no release occurs\n\n```diff\n - run: echo \"Version changed!\"\n- if: ${{ steps.publish.outputs.type != 'none' }}\n+ if: ${{ steps.publish.outputs.type }}\n```\n\n#### behavior changes\n\nThe `--ignore-scripts` option is now passed to `npm publish` as a security precaution. If you define any publish lifecycle scripts - `prepublishOnly`, `prepack`, `prepare`, `postpack`, `publish`, `postpublish` - we recommend you run that logic as a separate explicit build step.\n\n```diff\n+ - run: npm run build\n\n- - uses: JS-DevTools/npm-publish@v1\n+ - uses: JS-DevTools/npm-publish@v4\n with:\n token: ${{ secrets.NPM_TOKEN }}\n```\n\nIf you can't change your build, you can set the `ignore-scripts` input to `false` as a workaround. Be aware that failures during a lifecycle script can be difficult to debug, and any `stdout`/`stderr` output from your build script could interfere with how `npm-publish` interprets results from the `npm` CLI.\n\n```diff\n- - uses: JS-DevTools/npm-publish@v1\n+ - uses: JS-DevTools/npm-publish@v4\n with:\n token: ${{ secrets.NPM_TOKEN }}\n+ ignore-scripts: false\n```\n\nThe global `.npmrc` file is no longer read nor modified. This means the `token` option is now required for the library and CLI. (It was already required for the action.) You may have workarounds in place referencing `INPUT_TOKEN`, which v1 [erroneously wrote][#15] to `.npmrc`. These workarounds should be removed.\n\n```diff\n - uses: actions/setup-node@v5\n with:\n node-version: '24'\n registry-url: https://registry.npmjs.org/\n\n- - uses: JS-DevTools/npm-publish@v1\n+ - uses: JS-DevTools/npm-publish@v4\n with:\n token: ${{ secrets.NPM_TOKEN }}\n\n - name: Do some more stuff with npm\n run: npm whoami\n env:\n- INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}\n+ NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}\n```\n\n[#15]: https://github.com/JS-DevTools/npm-publish/issues/15\n\n## License\n\nnpm-publish is 100% free and open-source, under the [MIT license](LICENSE). Use it however you want.\n\nThis package is [Treeware](http://treeware.earth). If you use it in production, then we ask that you [**buy the world a tree**](https://plant.treeware.earth/JS-DevTools/npm-publish) to thank us for our work. By contributing to the Treeware forest you’ll be creating employment for local families and restoring wildlife habitats.\n\n## Big Thanks To\n\nThanks to these awesome companies for their support of Open Source developers ❤\n\n[![GitHub](https://jstools.dev/img/badges/github.svg)](https://github.com/open-source)\n[![NPM](https://jstools.dev/img/badges/npm.svg)](https://www.npmjs.com/)\n[![Coveralls](https://jstools.dev/img/badges/coveralls.svg)](https://coveralls.io)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjs-devtools%2Fnpm-publish","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjs-devtools%2Fnpm-publish","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjs-devtools%2Fnpm-publish/lists"}