Run any Skill in Manus with one click

$pwd:

npm-trusted-publishing

Name: Npm Trusted Publishing
Author: paulirish

// Use this skill to set up or debug npm "Trusted Publishing" (OIDC) from GitHub Actions. It handles OIDC permissions, Node.js version requirements, package.json metadata validation (specifically repository.url), and robust publish commands with provenance. Trigger this when the user mentions "npm OIDC", "trusted publishing", "publish to npm from github", or encounters 404/422 errors during npm publish in CI.

Run Skill in Manus

$ git log --oneline --stat

stars:4,343

forks:1,273

updated:April 2, 2026 at 00:01

SKILL.md

readonly

name

npm-trusted-publishing

description

Use this skill to set up or debug npm "Trusted Publishing" (OIDC) from GitHub Actions. It handles OIDC permissions, Node.js version requirements, package.json metadata validation (specifically repository.url), and robust publish commands with provenance. Trigger this when the user mentions "npm OIDC", "trusted publishing", "publish to npm from github", or encounters 404/422 errors during npm publish in CI.

npm Trusted Publishing (OIDC)

Configure and debug secure, tokenless npm publishing from GitHub Actions using OpenID Connect (OIDC) and Provenance.

Core Requirements

Trusted Publishing eliminates the need for long-lived NPM_TOKEN secrets by using short-lived, cryptographically-signed tokens.

1. GitHub Actions Permissions

The workflow MUST have explicit permissions to fetch the OIDC ID token.

permissions:
  id-token: write # Required for OIDC
  contents: read  # Required for checkout

2. Node.js Version

Trusted Publishing requires Node.js 22.14.0 or higher and npm 11.5.1 or higher.

- uses: actions/setup-node@v4
  with:
    node-version: 22.14.0
    registry-url: 'https://registry.npmjs.org'

3. package.json Metadata (CRITICAL)

NPM validates provenance against the repository field. If this is missing or incorrect, the publish will fail with a 422 Unprocessable Entity.

{
  "repository": {
    "type": "git",
    "url": "https://github.com/USER/REPO"
  }
}

Workflow Implementation

Recommended Publish Step

Always use the latest npm CLI and explicit flags for maximum reliability.

- name: Publish to npm
  run: |
    npm install -g npm@latest
    npm publish --provenance --access public --registry https://registry.npmjs.org/

Troubleshooting Guide

404 Not Found

Cause: Usually a registry mismatch.
Fix: Explicitly set --registry https://registry.npmjs.org/ in the publish command. Ensure no .npmrc is overriding the registry to a mirror or private proxy.

422 Unprocessable Entity

Cause: Metadata mismatch (most common: repository.url in package.json is missing or doesn't match the GitHub URL).
Fix: Validate package.json against the actual repository URL.

403 Forbidden / Unauthorized

Cause: The "Trusted Publisher" is not configured on npmjs.com or has an "Environment" mismatch.
Fix:
1. Check npmjs.com → Package Settings → Trusted Publishing.
2. Verify Organization, Repository, and Workflow filename (e.g., publish.yml) are exact.
3. If an Environment is specified on npm (e.g., "release"), it MUST be specified in the workflow: jobs.publish.environment: release.

User Instructions

When setting up a new project, provide these instructions to the user:

Configure npmjs.com: Go to your package settings → Trusted Publishing and add a new "GitHub Actions" publisher.
Fields:
- Organization: YOUR_USERNAME
- Repository: YOUR_REPO
- Workflow filename: publish.yml
- Environment: Leave blank (unless explicitly requested).
No Secrets Needed: Remind the user that NPM_TOKEN is NO LONGER REQUIRED in GitHub Secrets.

Additional Resources

For more detailed information, consult the official documentation. It is often helpful to fetch this URL to verify the latest field requirements or troubleshooting steps: https://docs.npmjs.org/trusted-publishers

related-skills.json

same repository

buildless-types.md

from "paulirish/dotfiles"

Use when the user asks to "set up types without a build step", "use vanilla JS with types", "configure erasable syntax", or mentions "JSDoc type checking". It provides instructions for modern type safety using JSDoc in browsers and native TypeScript execution in Node.js.

2026-04-024.3k

code-simplifier-gemini-cli.md

from "paulirish/dotfiles"

Installs and runs the Code Simplifier subagents for Gemini CLI (Code Reuse Reviewer, Code Quality Reviewer, and Efficiency Reviewer) to review and clean up code changes. Trigger this skill when the user asks to "simplify code", "run code simplifier", "review changes for quality", or "setup review agents".

2026-04-024.3k

create-gemini-cli-subagents.md

from "paulirish/dotfiles"

Expert guide for defining, creating, and invoking custom subagents in Gemini CLI. Trigger this skill when the user wants to create a new specialist agent, define a custom subagent, or learn how to delegate tasks to specialist agents within the Gemini CLI environment.

2026-04-024.3k

hot-reloading-for-chrome-extensions.md

from "paulirish/dotfiles"

This skill should be used when the user asks to "setup hot reload", "add hot reloading to chrome extension", "watch extension files", "auto reload extension", or mentions "manifest v3 hot reload". Provides a zero-dependency solution for automatic extension refreshing during development.

2026-04-024.3k

pauls-project-setup.md

from "paulirish/dotfiles"

Use this skill ALWAYS when the user asks to start a new project, initialize a repository, bootstrap a new app, or set up a codebase from scratch. It provides Paul's exact required modern stack conventions (pnpm, native node test, esbuild/vite, and buildless-types). If the user mentions "new project" or "setup", you must consult this skill before creating any files to ensure the correct architecture is used.

2026-04-024.3k

package.json

"author": "paulirish"

"repository": "paulirish/dotfiles"

View GitHub Repository View Creator Repositories

$ install --global

$ download --local

Run Skill in Manus

$ useful --forSOC

Software DevelopersComputer and Mathematical Occupations15-1252L4

name

npm-trusted-publishing

description

npm Trusted Publishing (OIDC)

Configure and debug secure, tokenless npm publishing from GitHub Actions using OpenID Connect (OIDC) and Provenance.

Core Requirements

Trusted Publishing eliminates the need for long-lived NPM_TOKEN secrets by using short-lived, cryptographically-signed tokens.

1. GitHub Actions Permissions

The workflow MUST have explicit permissions to fetch the OIDC ID token.

permissions:
  id-token: write # Required for OIDC
  contents: read  # Required for checkout

2. Node.js Version

Trusted Publishing requires Node.js 22.14.0 or higher and npm 11.5.1 or higher.

- uses: actions/setup-node@v4
  with:
    node-version: 22.14.0
    registry-url: 'https://registry.npmjs.org'

3. package.json Metadata (CRITICAL)

NPM validates provenance against the repository field. If this is missing or incorrect, the publish will fail with a 422 Unprocessable Entity.

{
  "repository": {
    "type": "git",
    "url": "https://github.com/USER/REPO"
  }
}

Workflow Implementation

Recommended Publish Step

Always use the latest npm CLI and explicit flags for maximum reliability.

- name: Publish to npm
  run: |
    npm install -g npm@latest
    npm publish --provenance --access public --registry https://registry.npmjs.org/

Troubleshooting Guide

404 Not Found

Cause: Usually a registry mismatch.
Fix: Explicitly set --registry https://registry.npmjs.org/ in the publish command. Ensure no .npmrc is overriding the registry to a mirror or private proxy.

422 Unprocessable Entity

Cause: Metadata mismatch (most common: repository.url in package.json is missing or doesn't match the GitHub URL).
Fix: Validate package.json against the actual repository URL.

403 Forbidden / Unauthorized

Cause: The "Trusted Publisher" is not configured on npmjs.com or has an "Environment" mismatch.
Fix:
1. Check npmjs.com → Package Settings → Trusted Publishing.
2. Verify Organization, Repository, and Workflow filename (e.g., publish.yml) are exact.
3. If an Environment is specified on npm (e.g., "release"), it MUST be specified in the workflow: jobs.publish.environment: release.

User Instructions

When setting up a new project, provide these instructions to the user:

Configure npmjs.com: Go to your package settings → Trusted Publishing and add a new "GitHub Actions" publisher.
Fields:
- Organization: YOUR_USERNAME
- Repository: YOUR_REPO
- Workflow filename: publish.yml
- Environment: Leave blank (unless explicitly requested).
No Secrets Needed: Remind the user that NPM_TOKEN is NO LONGER REQUIRED in GitHub Secrets.

npm-trusted-publishing

npm Trusted Publishing (OIDC)

Core Requirements

1. GitHub Actions Permissions

2. Node.js Version

3. package.json Metadata (CRITICAL)

Workflow Implementation

Recommended Publish Step

Troubleshooting Guide

404 Not Found

422 Unprocessable Entity

403 Forbidden / Unauthorized

User Instructions

Additional Resources

More from this repository

More from this repository

npm Trusted Publishing (OIDC)

Core Requirements

1. GitHub Actions Permissions

2. Node.js Version

3. package.json Metadata (CRITICAL)

Workflow Implementation

Recommended Publish Step

Troubleshooting Guide

404 Not Found

422 Unprocessable Entity

403 Forbidden / Unauthorized

User Instructions

Additional Resources