Skip to content

add npm trusted publishing workflow #135

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ya-nsh merged 1 commit into from
Jun 2, 2026
Merged

add npm trusted publishing workflow #135

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions .github/workflows/publish-npm.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
name: Publish npm

on:
workflow_dispatch:
push:
tags:
- "v*"

permissions:
contents: read

concurrency:
group: publish-npm
cancel-in-progress: false

jobs:
publish:
name: Publish tokenleak to npm
if: github.repository == 'ya-nsh/tokenleak' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v'))
runs-on: ubuntu-latest
environment: npm-publish
permissions:
contents: read
id-token: write
steps:
- name: Check out repository
uses: actions/checkout@v4

- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: "24"
registry-url: "https://registry.npmjs.org"

- name: Set up Bun
uses: oven-sh/setup-bun@v2
with:
bun-version: "1.3.10"

- name: Install dependencies
run: bun install --frozen-lockfile

- name: Run checks
run: bun run check

- name: Prepare npm package
run: bun run prepublish

- name: Publish to npm
working-directory: dist
run: npm publish
32 changes: 32 additions & 0 deletions CONTRIBUTING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,38 @@ bun run format

5. Never commit directly to `main`.

## Release Publishing

Tokenleak publishes to npm from GitHub Actions with npm Trusted Publishing. The publish workflow does not store an npm token and does not run for pull requests.

Configure the package once from an npm account with publish access:

```bash
npm trust github tokenleak --repo ya-nsh/tokenleak --file publish-npm.yml --env npm-publish
```

Use these trusted publisher fields if configuring in npmjs.com instead:

- Provider: GitHub Actions
- Organization or user: `ya-nsh`
- Repository: `tokenleak`
- Workflow file: `publish-npm.yml`
- Environment: `npm-publish`
- Allowed action: `npm publish`

After a release PR is merged and the version is ready, publish with one of:

```bash
# Manual release from the default branch
gh workflow run publish-npm.yml --ref main

# Tag-triggered release
git tag v<version>
git push origin v<version>
```

Only users with write access to the repository can manually trigger the workflow or push release tags. Forks and pull requests cannot publish because the workflow has no `pull_request` trigger, and the publish job is restricted to `ya-nsh/tokenleak` on `main` or `v*` tags.

## Code Style

- **Strict TypeScript**: No `any` types. Use `unknown` and narrow properly.
Expand Down
Loading