npm-trusted-publishing
NPM Trusted Publishing
Overview
Set up secure npm publishing from GitHub Actions using OIDC trusted publishing instead of long-lived NPM_TOKEN secrets.
When to Use
- Setting up npm publish workflow in GitHub Actions
- Migrating from NPM_TOKEN to trusted publishing
- Adding provenance attestations to packages
- Publishing monorepo packages
Quick Reference
| Requirement | Implementation |
|---|---|
| GitHub Actions permission | id-token: write |
| package.json field | repository.url matching GitHub repo |
More from pr-pm/prpm
human-writing
Write content that sounds natural, conversational, and authentically human - avoiding AI-generated patterns, corporate speak, and generic phrasing
169creating-opencode-agents
Use when creating OpenCode agents - provides markdown format with YAML frontmatter, mode/tools/permission configuration, and best practices for specialized AI assistants
27creating-opencode-plugins
Use when creating OpenCode plugins that hook into command, file, LSP, message, permission, server, session, todo, tool, or TUI events - provides plugin structure, event API specifications, and implementation patterns for JavaScript/TypeScript event-driven modules
21creating-agents-md
Use when creating agents.md files - provides plain markdown format with NO frontmatter, free-form structure, and project context guidelines for AI coding assistants
20self-improving
Use when starting infrastructure, testing, deployment, or framework-specific tasks - automatically searches PRPM registry for relevant expertise packages and suggests installation to enhance capabilities for the current task
19typescript-type-safety
Use when encountering TypeScript any types, type errors, or lax type checking - eliminates type holes and enforces strict type safety through proper interfaces, type guards, and module augmentation
16