actions/setup-node
1
0
Fork 0
mirror of https://github.com/actions/setup-node.git synced 2026-04-23 17:10:20 +08:00
Code Issues Packages Projects Releases Wiki Activity

Add documentation for publishing to npm with Trusted Publisher (OIDC) (#1536)

Browse Source
This commit is contained in:
Chiranjib Swain 2026-04-23 08:28:57 +05:30 committed by GitHub
parent 48b55a011b
commit 670825a89d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
README.md
View File

@ -249,6 +249,7 @@ If the runner is not able to access github.com, any Nodejs versions requested du
- [Publishing to npmjs and GPR with npm](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-npm)
- [Publishing to npmjs and GPR with yarn](docs/advanced-usage.md#publish-to-npmjs-and-gpr-with-yarn)
- [Using private packages](docs/advanced-usage.md#use-private-packages)
- [Publishing to npm with Trusted Publisher (OIDC)](docs/advanced-usage.md#publishing-to-npm-with-trusted-publisher-oidc)
- [Using private mirror](docs/advanced-usage.md#use-private-mirror)
## Recommended permissions

39
docs/advanced-usage.md
View File

@ -475,6 +475,45 @@ To access private GitHub Packages within the same organization, go to "Manage Ac
Please refer to the [Ensuring workflow access to your package - Configuring a package's access control and visibility](https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility#ensuring-workflow-access-to-your-package) for more details.
## Publishing to npm with Trusted Publisher (OIDC)
npm supports Trusted Publishers, enabling packages to be published from GitHub Actions using OpenID Connect (OIDC) instead of long-lived npm tokens. This improves security by replacing static credentials with short-lived tokens, reducing the risk of credential leakage and simplifying authentication in CI/CD workflows.
### Requirements
Trusted publishing requires a compatible npm version:
* **npm ≥ 11.5.1 (required)**
* **Node.js 24 or newer (recommended)** — includes a compatible npm version by default
> If npm is below 11.5.1, publishing will fail even if OIDC permissions are correctly configured.
You must also configure a **Trusted Publisher** in npm for your package/scope that matches your GitHub repository and workflow (and optional environment, if used).
### Example workflow
```yaml
permissions:
contents: read
id-token: write # Required for OIDC
steps:
- uses: actions/checkout@v6
- uses: actions/setup-node@v6
with:
node-version: '24'
registry-url: 'https://registry.npmjs.org'
- run: npm ci
- run: npm run build --if-present
- run: npm publish
```
> **Note**: If the Trusted Publisher configuration (GitHub owner/repo/workflow file, and optional environment) does not match the workflow run identity exactly, publishing may fail with **E404 Not Found** even if the package exists on npm.
For more details, see the [npm Trusted Publishers documentation](https://docs.npmjs.com/trusted-publishers) and the [GitHub Actions OpenID Connect (OIDC) overview](https://docs.github.com/en/actions/concepts/security/openid-connect).
## Use private mirror
It is possible to use a private mirror hosting Node.js binaries. This mirror must be a full mirror of the official Node.js distribution.