publish.yml — 5 fails
.github/workflowsname: publish
on: [push]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v3
- run: npm publish
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
STATUS: BUILDING — FIRST PUBLISH HELP COMING SOON
Ship your first
npm trusted publishing
release without the 2 AM rollback.
Paste your package.json
and publish.yml — get a 14-row OIDC pass/fail report before you tag v1.0.0.
No signup · Runs in your browser · Free
14 checks
pass/fail per release
0 secrets
stored in your repo
5 min
OIDC tokens live, not years
$0 free
no signup, no login
§ ARTIFACT · preview
The 5 checks that catch most npm trusted publishing failures.
The full preflight runs 14 static checks on your package.json and GitHub Actions workflow.
- 01
Workflow grants id-token: write
Without this, GitHub never mints an OIDC token and npm silently falls back to NPM_TOKEN.
- 02
Workflow uses actions/setup-node@v4
v3 and earlier don’t wire registry-url for OIDC. Required for trusted publishing.
- 03
npm publish uses --provenance
Without it, the Sigstore attestation is skipped and the package shows no provenance badge.
- 04
Trusted publisher configured on npmjs.com
Package Settings → Trusted Publishers → GitHub Actions, repo + workflow file matched.
- 05
package.json#repository.url matches GitHub repo
Trusted publishing rejects the job when the URL points at a fork or stale mirror.
§ 9 MORE CHECKS
Paste your real files, run the full 14-row pass/fail report.
§ PAIN MIRROR
Common npm trusted publishing errors, day one.
Four failure shapes recur across npm/cli issues and OIDC docs. The preflight looks for each one.
-
OIDC-401 id-token: write is set, npm still asks for NPM_TOKEN.
Usually actions/setup-node@v3, missing registry-url, or NPM_TOKEN still in env.
-
PROV-E_NOATTEST npm publish --provenance fails with E_NOATTEST.
Sigstore Fulcio cert rotation or action pinning drift.
-
REPO-MISMATCH Trusted publisher rejects the job because the repo URL is stale.
package.json#repository.url points at a fork.
-
PUSH-OOPS A merge to main accidentally publishes v1.0.1.
Trigger is on: push instead of on: release. No undo beyond 72h unpublish.
preflight
acme/super-lib
- package.json has a name field
- Workflow grants id-token: write
- Uses actions/setup-node@v4 or newer
- registry-url: https://registry.npmjs.org
- npm publish uses --provenance
- No NPM_TOKEN in workflow env
- +8 8 more checks passed
§ HOW IT WORKS
How to set up npm trusted publishing —
paste, check, fix.
Static page. Every check is regex or a JSON lookup over text you paste — no server, no telemetry.
- 01
PASTE Drop two files.
Your package.json and your publish.yml. Nothing leaves the tab.
- 02
CHECK 14 static checks.
JSON parsing and regex over the known failure shapes from npm trusted-publishing docs.
- 03
FIX Pass / fail with one-line fixes.
Each fail tells you the exact YAML or JSON change. Click through for the GitHub Issue that taught us the case.
§ BEFORE / AFTER
NPM_TOKEN to OIDC: the workflow diff.
Same publish.yml, two states. The preflight tells you which one before you tag.
BEFORE — 5 fails
publish.ymlname: publish
on: [push]
jobs:
publish:
runs-on: ubuntu-latest
steps:
- uses: actions/setup-node@v3
- run: npm publish
env:
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}AFTER — 14 / 14 pass
publish.ymlname: publish
on:
release:
types: [published]
jobs:
publish:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 20
registry-url: "https://registry.npmjs.org"
- run: npm ci
- run: npm publish --provenance§ PROOF
Every check has a primary source.
Sourced from npm and GitHub OIDC docs, the CLI changelog, and real maintainer bug threads.
- S-001 PRIMARY DOCS
npm Docs — Trusted Publishers
The OIDC trusted-publisher feature, supported registries, and the requirement that the workflow repo match the package repository.
VISIT SOURCE → - S-002 PRIMARY DOCS
GitHub Docs — OIDC for npm
How id-token: write maps to the npm audience, and the contents: read permission requirement.
VISIT SOURCE → - S-003 CHANGELOG
npm CLI changelog (v9.5+)
When --provenance shipped and the OIDC publish path landed; useful for confirming required CLI version.
VISIT SOURCE → - S-004 PRIMARY DOCS
Sigstore — Provenance for JavaScript
How npm provenance attestations are signed via Fulcio and recorded in Rekor.
VISIT SOURCE → - S-005 BUG THREADS
GitHub Issues — npm/cli
Real failure threads filed by maintainers. Source of the recurring failure shapes the artifact looks for.
VISIT SOURCE → - S-006 COMMUNITY
r/javascript — "trusted publishing" search
Maintainer-written postmortems and migration notes that shaped the FAQ.
VISIT SOURCE →
The full claim ledger lives in the project repo and is reviewed when the npm CLI or GitHub Actions docs change.
§ FIELD NOTES
Sourced from the OIDC trenches.
§ workflow
Migrating from NPM_TOKEN to Trusted Publishing — the 5-Step Migration in a Weekend
A weekend-sized migration plan from long-lived NPM_TOKEN secrets to OIDC trusted publishing on npm. Five steps, each reversible until the last, with the rollback path if a publish fails.
May 19, 2026
§ checklist
Pre-Publish Checklist for a New npm Package in 2026 (Security, Provenance, README)
A grounded pre-publish checklist for a new npm package in 2026: trusted publishing wired, provenance enabled, scoped access, files allowlist, README and license correct, and the search-and-tags that get you found.
May 18, 2026
§ concept
Provenance Attestation, Sigstore, and SLSA Level 3: What They Mean for Indie Package Authors
What provenance attestation, Sigstore, and SLSA Level 3 actually buy you as a solo or small-team npm package author. Plain-language definitions, the verification chain, and what is still your responsibility.
May 17, 2026
§ comparison
Trusted Publishing on JSR vs npm: a 2026 Comparison for Library Authors
Where JSR and npm trusted publishing agree, where they diverge, and how to publish the same TypeScript library to both with one workflow and two trusted publishers.
May 16, 2026
§ FAQ
npm trusted publishing FAQ.
+ Who is ForgeKite for?
Library maintainers and DevOps engineers preparing their first npm publish under OIDC trusted publishing — or migrating from a long-lived NPM_TOKEN in GitHub Actions to OIDC.
+ Is the preflight checklist actually working today?
Yes. The 14-row check runs entirely in your browser using the JSON parser and regex over what you paste. Nothing leaves the page.
+ What does this replace?
It replaces the ad-hoc "skim three GitHub Issues and hope I caught it" flow before a v1.0.0 release. It does not replace the actual npm trusted-publisher setup, which still requires a manual click on npmjs.com.
+ When does the full product launch?
The hosted audit (paste a repo URL, get a guided report and a fix PR) is in build. The preflight checklist above is the standalone artifact you can use today.
+ Is it free?
The checklist on this page is free and stays free. Paid options will be for teams that want a CI-integrated audit and a SLSA-Level-3 evidence ledger.
+ Does ForgeKite store my package.json or workflow?
No. There is no backend on this page. Open DevTools, check the Network tab, paste your files, and run the check — there are no outbound requests for the artifact.
+ Does it support pnpm, yarn, or bun?
The checklist flags pnpm publish as OK and yarn classic publish as a fail (yarn classic does not speak OIDC). Bun publish landed in mid-2026 and is not yet wired to npm trusted publishing.
+ Where do I learn more?
Read the blog. Every post links back to the primary docs and the GitHub Issue thread that taught us the failure case.
Working on a v1.0.0?
Run the preflight first.
Fourteen checks, in your browser, free. Read the field notes for the GitHub Issues each one came from.
No signup · Runs locally · Free