NPM Publish
ActionsTags
(2)Publish packages to npm automatically in GitHub Actions whenever a change to your package's version field is detected.
This action automates a specific kind of continuous deployment to npm, where you want to publish whenever the version field in package.json changes on your main branch. If you prefer to publish on tags (for example, those created by the npm version command), or are using an alternative package manager like pnpm, you don't need this action! Simply configure setup-node with its registry-url option and call your package manager's publish command directly. This is more secure than relying on a third-party action like this one, and is more customizable.
# Publish to npm whenever a tag is pushed
name: Publish to npm
on:
  push:
    tags: v*
jobs:
  build:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v5
        with:
          node-version: "24"
          registry-url: "https://registry.npmjs.org"
      - run: npm ci
      - run: npm test
      - run: npm publish --provenance --ignore-scripts
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}See GitHub's Node.js publishing guide and npm's trusted publishing docs for more details and examples.
- 
🧠 Smart Only publishes if the version number in package.jsondiffers from the latest on npm.
- 
🛠 Configurable Customize the version-checking behavior, the registry URL, and path of your package. 
- 
🔐 Secure Keeps your npm authentication token secret. Doesn't read nor write to ~/.npmrc.
- 
⚡ Fast 100% JavaScript (which is faster than Docker) and bundled to optimize loading time. 
- 
📤 Outputs Exposes the old and new version numbers, and the type of change (major, minor, patch, etc.) as variables that you can use in your workflow. 
This package can be used three different ways:
- 
🤖 A GitHub Action as part of your CI/CD process 
- 
🧩 A function that you call in your JavaScript code 
- 
🖥 A CLI that you run in your terminal 
To use the GitHub Action, you'll need to add it as a step in your workflow file. By default, the only thing you need to do is set the token parameter to your npm authentication token.
on:
  push:
    branches: main
jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v5
        with:
          node-version: "24"
      - run: npm ci
      - run: npm test
      - uses: JS-DevTools/npm-publish@v4
        with:
          token: ${{ secrets.NPM_TOKEN }}If you have trusted publishing configured for your package and use npm@>=11.5.1, you can omit the token input and use OIDC instead.
Important
If you're publishing a private package, you will still need to provide a read-only token so the action can read existing versions from the registry before publish.
  jobs:
    publish:
      runs-on: ubuntu-latest
+     permissions:
+       contents: read
+       id-token: write  # required to use OIDC
      steps:
        - uses: actions/checkout@v5
        - uses: actions/setup-node@v5
          with:
            node-version: "24"  # includes [email protected]
        - run: npm ci
        - run: npm test
        - uses: JS-DevTools/npm-publish@v4
-         with:
-           token: ${{ secrets.NPM_TOKEN }}You can also publish to third-party registries. For example, to publish to the GitHub Package Registry, set token to secrets.GITHUB_TOKEN and registry to https://npm.pkg.github.com:
on:
  push:
    branches: main
jobs:
  publish:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write # allow GITHUB_TOKEN to publish packages
    steps:
      - uses: actions/checkout@v5
      - uses: actions/setup-node@v5
        with:
          node-version: "24"
      - run: npm ci
      - run: npm test
      - uses: JS-DevTools/npm-publish@v4
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          registry: "https://npm.pkg.github.com"You can set any or all of the following input parameters using with:
| Name | Type | Default | Description | 
|---|---|---|---|
| token | string | unspecified | Registry authentication token, not required if using trusted publishing³ | 
| registry¹ | string | https://registry.npmjs.org/ | Registry URL to use. | 
| package | string | Current working directory | Path to a package directory, a package.json, or a packed.tgzto publish. | 
| tag¹ | string | latest | Distribution tag to publish to. | 
| access¹ | public,restricted | npm defaults | Whether the package should be publicly visible or restricted. | 
| provenance¹ ² | boolean | false | Run npm publishwith the--provenanceflag to add provenance statements. | 
| strategy | all,upgrade | all | Use allto publish all unique versions,upgradefor only semver upgrades. | 
| ignore-scripts | boolean | true | Run npm publishwith the--ignore-scriptsflag as a security precaution. | 
| dry-run | boolean | false | Run npm publishwith the--dry-runflag to prevent publication. | 
- May be specified using publishConfiginpackage.json.
- Provenance requires npm >=9.5.0.
- Trusted publishing npm >=11.5.1and must be run from a supported cloud provider.
npm-publish exposes several output variables, which you can use in later steps of your workflow if you provide an id for the npm-publish step.
  steps:
    - uses: JS-DevTools/npm-publish@v4
+     id: publish
      with:
        token: ${{ secrets.NPM_TOKEN }}
+   - if: ${{ steps.publish.outputs.type }}
+     run: echo "Version changed!"| Name | Type | Description | 
|---|---|---|
| id | string | Package identifier of the release: ${name}@${version}or empty if no release. | 
| type | string | Semver release type, initialif first release,differentif other change, or empty if no release. | 
| name | string | Name of the package. | 
| version | string | Version of the package. | 
| old-version | string | Previously published version on tagor empty if no previous version on tag. | 
| tag | string | Distribution tag the package was published to. | 
| access | string | Access level the package was published with, or defaultif scoped-package defaults were used. | 
| registry | string | Registry the package was published to. | 
| dry-run | boolean | Whether npm publishwas run in "dry run" mode. | 
To use npm-package in your JavaScript code, you'll need to install it using npm or other package manager of choice:
npm install --save-dev @jsdevtools/npm-publishYou can then import it and use it in your code like this:
import { npmPublish } from "@jsdevtools/npm-publish";
// Run npm-publish with all defaults
await npmPublish({ token: "YOUR_NPM_AUTH_TOKEN_HERE" });As shown in the example above, you should pass an options object to the npmPublish function. In TypeScript, the Options interface is available as an import.
import type { Options } from "@jsdevtools/npm-publish";| Name | Type | Default | Description | 
|---|---|---|---|
| token | string | required | Registry authentication token, not required if using trusted publishing³ | 
| registry¹ | string, URL | https://registry.npmjs.org/ | Registry URL to use. | 
| package | string | Current working directory | Path to a package directory, a package.json, or a packed.tgzto publish. | 
| tag¹ | string | latest | Distribution tag to publish to. | 
| access¹ | public,restricted | npm defaults | Whether the package should be publicly visible or restricted. | 
| provenance¹ ² | boolean | false | Run npm publishwith the--provenanceflag to add provenance statements. | 
| strategy | all,upgrade | all | Use allto publish all unique versions,upgradefor only semver upgrades. | 
| ignoreScripts | boolean | true | Run npm publishwith the--ignore-scriptsflag as a security precaution. | 
| dryRun | boolean | false | Run npm publishwith the--dry-runflag to prevent publication. | 
| logger | object | undefined | Logging interface with debug,info, anderrorlog methods. | 
| temporaryDirectory | string | os.tmpdir() | Temporary directory to hold a generated .npmrcfile | 
- May be specified using publishConfiginpackage.json.
- Provenance requires npm >=9.5.0.
- Trusted publishing npm >=11.5.1and must be run from a supported cloud provider.
The npmPublish() function returns a promise of a Results object. In TypeScript, the Results interface is available as an import.
import type { Results } from "@jsdevtools/npm-publish";| Name | Type | Description | 
|---|---|---|
| id | Optional string | Package identifier of the release: ${name}@${version}orundefinedif no release. | 
| type | Optional string | Semver release type, initialif first release,differentif other change, orundefinedif no release. | 
| name | string | Name of the package. | 
| version | string | Version of the package. | 
| oldVersion | Optional string | Previously published version on tagorundefinedif no previous version. | 
| tag | string | Distribution tag that the package was published to. | 
| access | Optional string | Access level the package was published with, or undefinedif scoped-package defaults were used. | 
| registry | URL | Registry the package was published to. | 
| dryRun | boolean | Whether npm publishwas run in "dry run" mode. | 
You can also use npm-publish as a command-line tool in your terminal.
npm install --save-dev @jsdevtools/npm-publishYou can then use it in your terminal or in npm run scripts.
npx npm-publish --token YOUR_NPM_AUTH_TOKEN_HEREYou can customize your call with options to change the registry, package, etc.
npx npm-publish --token YOUR_NPM_AUTH_TOKEN_HERE --registry http://example.com ./path/to/packageRun npm-publish --help to see the full list of options available.
Usage:
  npm-publish <options> [package]
Arguments:
  package                 The path to the package to publish.
                          May be a directory, package.json, or .tgz file.
                          Defaults to the package in the current directory.
Options:
  --token <token>         npm authentication token.
                          Not required if using trusted publishing.
                          See npm documentation for details.
  --registry <url>        Registry to read from and write to.
                          Defaults to "https://registry.npmjs.org/".
  --tag <tag>             The distribution tag to check against and publish to.
                          Defaults to "latest".
  --access <access>       Package access, may be "public" or "restricted".
                          See npm documentation for details.
  --provenance            Publish with provenance statements.
                          See npm documentation for details.
  --strategy <strategy>   Publish strategy, may be "all" or "upgrade".
                          Defaults to "all", see documentation for details.
  --no-ignore-scripts     Allow lifecycle scripts, which are disabled by default
                          as a security precaution. Defaults to false.
  --dry-run               Do not actually publish anything.
  --quiet                 Only print errors.
  --debug                 Print debug logs.
  -v, --version           Print the version number.
  -h, --help              Show usage text.
Examples:
  $ npm-publish --token abc123 ./my-package
Major releases of the action and libraries may contain breaking changes, documented here. For more detailed change logs, see releases.
The v4 release does not require any changes to how you use the npm-publish action from v3. The action was updated to Node 24 / npm 11.
In the library and CLI, support for Node 16 and Node 18 was dropped in v4, and the library API was switched to ESM-only. Library users should switch to ESM or update Node to a version with support for loading ES modules using require.
The v4 release does not require any changes to how you use the npm-publish action from v2. The action was updated to Node 20 in v3 due to GitHub Action's deprecation of Node 16, and then updated to Node 24 in v4.
In the library and CLI, support for Node 16 and Node 18 was dropped in v4, and the library API was switched to ESM-only. Library users should switch to ESM or update Node to a version with support for loading ES modules using require.
The v2 release made several breaking changes to inputs, outputs, and behaviors that were present in v1. The examples below focus on the action, but the same changes are applicable to the library and CLI, too.
In the library and CLI, support for Node 16 and Node 18 was dropped in v4, and the library API was switched to ESM-only. Library users should switch to ESM or update Node to a version with support for loading ES modules using require.
The check-version and greater-version-only boolean options were replaced with the strategy option:
- strategy: all(default) will publish any version that does not yet exist in the registry
- strategy: upgradewill publish only if the version is a semver upgrade of the requested- dist-tag
  with:
    token: ${{ secrets.NPM_TOKEN }}
-   check-version: true
-   greater-version-only: false
+   strategy: all
  with:
    token: ${{ secrets.NPM_TOKEN }}
-   check-version: true
-   greater-version-only: true
+   strategy: upgradecheck-version: false has been removed. If you only need to publish, without first checking whether the version exists in the registry, you can use npm directly instead:
  - uses: actions/setup-node@v5
    with:
      node-version: '24'
+     registry-url: https://registry.npmjs.org/
- - uses: JS-DevTools/npm-publish@v1
-   with:
-     token: ${{ secrets.NPM_TOKEN }}
-     check-version: false
+ - run: npm publish
+   env:
+     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}The type output is now an empty string instead of 'none' when no release occurs
  - run: echo "Version changed!"
-   if: ${{ steps.publish.outputs.type != 'none' }}
+   if: ${{ steps.publish.outputs.type }}The --ignore-scripts option is now passed to npm publish as a security precaution. If you define any publish lifecycle scripts - prepublishOnly, prepack, prepare, postpack, publish, postpublish - we recommend you run that logic as a separate explicit build step.
+ - run: npm run build
- - uses: JS-DevTools/npm-publish@v1
+ - uses: JS-DevTools/npm-publish@v4
    with:
      token: ${{ secrets.NPM_TOKEN }}If you can't change your build, you can set the ignore-scripts input to false as a workaround. Be aware that failures during a lifecycle script can be difficult to debug, and any stdout/stderr output from your build script could interfere with how npm-publish interprets results from the npm CLI.
- - uses: JS-DevTools/npm-publish@v1
+ - uses: JS-DevTools/npm-publish@v4
    with:
      token: ${{ secrets.NPM_TOKEN }}
+     ignore-scripts: falseThe global .npmrc file is no longer read nor modified. This means the token option is now required for the library and CLI. (It was already required for the action.) You may have workarounds in place referencing INPUT_TOKEN, which v1 erroneously wrote to .npmrc. These workarounds should be removed.
  - uses: actions/setup-node@v5
    with:
      node-version: '24'
      registry-url: https://registry.npmjs.org/
- - uses: JS-DevTools/npm-publish@v1
+ - uses: JS-DevTools/npm-publish@v4
    with:
      token: ${{ secrets.NPM_TOKEN }}
  - name: Do some more stuff with npm
    run: npm whoami
    env:
-     INPUT_TOKEN: ${{ secrets.NPM_TOKEN }}
+     NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}npm-publish is 100% free and open-source, under the MIT license. Use it however you want.
This package is Treeware. If you use it in production, then we ask that you buy the world a tree to thank us for our work. By contributing to the Treeware forest you’ll be creating employment for local families and restoring wildlife habitats.
Thanks to these awesome companies for their support of Open Source developers ❤
NPM Publish is not certified by GitHub. It is provided by a third-party and is governed by separate terms of service, privacy policy, and support documentation.