publish

February 24, 2025 ยท View on GitHub

The actions/nodejs/publish action provides a way to publish a Node.js package tarball and attestations generated by the Node.js builder to the official npm registy.

Example

Here is an example of building a Node.js package with the Node.js builder and publishing it using the publish action.

jobs:
  build:
    permissions:
      id-token: write
      contents: read
      actions: read
    if: startsWith(github.ref, 'refs/tags/')
    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@v2.1.0
    with:
      run-scripts: "ci, build"

  publish:
    needs: [build]
    runs-on: ubuntu-latest
    steps:
      - name: Set up Node registry authentication
        uses: actions/setup-node@64ed1c7eab4cce3362f8c340dee64e5eaeef8f7c # v3.6.0
        with:
          # Use the official npm registry.
          registry-url: "https://registry.npmjs.org"

      - name: publish
        id: publish
        uses: slsa-framework/slsa-github-generator/actions/nodejs/publish@v2.1.0
        with:
          access: public
          node-auth-token: ${{ secrets.NPM_TOKEN }}
          package-name: ${{ needs.build.outputs.package-name }}
          package-download-name: ${{ needs.build.outputs.package-download-name }}
          package-download-sha256: ${{ needs.build.outputs.package-download-sha256 }}
          provenance-name: ${{ needs.build.outputs.provenance-name }}
          provenance-download-name: ${{ needs.build.outputs.provenance-download-name }}
          provenance-download-sha256: ${{ needs.build.outputs.provenance-download-sha256 }}

This will publish the tarball and provenance created built by the Node.js builder to the official registry.

Inputs

NameRequiredDefaultDescription
accessno'restricted' for scoped packages, 'public' for unscoped packagesThe package access level. See npm help access for more information.
dist-tagno"latest"The package dist-tag to attach. See npm help dist-tag for more information.
node-auth-tokenyesThe npm registry auth token used to publish the package. See About access tokens for more information.
package-nameyesThe file name for the package tarball in the artifact.
package-download-nameyesThe GitHub Actions artifact name for the package tarball.
package-download-sha256yesThe sha256 of the package tarball artifact.
provenance-nameyesThe file name for the package provenance in the artifact.
provenance-download-nameyesThe GitHub Actions artifact name for the package provenance.
provenance-download-sha256yesThe sha256 of the package provenance artifact.

Outputs

There are no outputs.