name	npm-trustme
description	Automate npm Trusted Publisher setup via the npm-trustme CLI. Use when configuring or verifying npm Trusted Publishers for GitHub Actions with npx npm-trustme, including browser automation and WebAuthn passkey approval.

npm-trustme

Overview

Automate npm Trusted Publisher setup in the npm web UI. Requires a one-time WebAuthn approval in a real browser session (passkey or security key).

CLI Quick Start

One-time if browsers are missing: npx playwright install
Ensure (create if missing): npx npm-trustme ensure --yes ...
Check only: npx npm-trustme check ...
Generate workflow: npx npm-trustme workflow init
Doctor: npx npm-trustme doctor
Non-interactive install: npx npm-trustme install --non-interactive ...

Required Target Inputs

Required: --package, --owner, --repo, --workflow
Optional: --publishing-access, --environment, --maintainer

Default inference:

package: package.json#name
owner/repo: git remote origin
workflow: .github/workflows/npm-release.yml or the only workflow file

Examples

Check:

npx npm-trustme check \
  --package <PACKAGE_NAME> \
  --owner <GITHUB_OWNER> \
  --repo <GITHUB_REPO> \
  --workflow <WORKFLOW_FILE> \
  --publishing-access <PUBLISHING_ACCESS>

Ensure (create if missing):

npx npm-trustme ensure \
  --package <PACKAGE_NAME> \
  --owner <GITHUB_OWNER> \
  --repo <GITHUB_REPO> \
  --workflow <WORKFLOW_FILE> \
  --publishing-access <PUBLISHING_ACCESS> \
  --yes

Non-interactive install (single package):

npx npm-trustme install --non-interactive \
  --package <PACKAGE_NAME> \
  --owner <GITHUB_OWNER> \
  --repo <GITHUB_REPO> \
  --workflow <WORKFLOW_FILE> \
  --publishing-access disallow-tokens \
  --headless \
  --storage ~/.npm-trustme/storage.json

Non-interactive install (monorepo):

npx npm-trustme install --non-interactive \
  --all-packages \
  --owner <GITHUB_OWNER> \
  --repo <GITHUB_REPO> \
  --workflow npm-release.yml \
  --publishing-access disallow-tokens

Targets file (JSON/YAML):

targets:
  - packageName: my-pkg
    owner: my-org
    repo: my-repo
    workflow: npm-release.yml
    environment: npm
    publishingAccess: disallow-tokens

Workflow write in non-interactive install:

npx npm-trustme install --non-interactive \
  --workflow-init \
  --workflow-file npm-release.yml \
  --workflow-pm pnpm \
  --workflow-node 24 \
  --workflow-trigger release \
  --workflow-dispatch true \
  --workflow-build-command "pnpm build" \
  --workflow-publish-command "npm publish --access public --provenance"

Dedicated Chrome (keeps main browser open):

npx npm-trustme chrome start
npx npm-trustme ensure --yes

Notes

--env-file can load a specific .env path.
--storage can persist Playwright storage state for faster re-runs.
Inline cookies (Sweet Cookie format) are supported: --inline-cookies-json, --inline-cookies-base64, or --inline-cookies-file.
Requires Node >= 22 (Sweet Cookie uses node:sqlite).
Chrome profile reuse (manual session): --chrome-profile / --chrome-profile-dir / --chrome-user-data-dir / --chrome-path.
Connect to an existing Chrome: --chrome-cdp-url or --chrome-debug-port (Chrome must be launched with remote debugging).
Cookie import: --import-cookies (default true) to copy npm cookies from your main Chrome profile.
npm-trustme ensure prompts for confirmation; use --yes in automated/agent runs.
npm-trustme install --non-interactive requires all target fields; use --targets-file for per-package overrides.
For headless runs, provide --storage or inline cookies to avoid interactive login/2FA.

name	npm-trustme
description	Automate npm Trusted Publisher setup via the npm-trustme CLI. Use when configuring or verifying npm Trusted Publishers for GitHub Actions with npx npm-trustme, including browser automation and WebAuthn passkey approval.

npm-trustme

Overview

Automate npm Trusted Publisher setup in the npm web UI. Requires a one-time WebAuthn approval in a real browser session (passkey or security key).

CLI Quick Start

One-time if browsers are missing: npx playwright install
Ensure (create if missing): npx npm-trustme ensure --yes ...
Check only: npx npm-trustme check ...
Generate workflow: npx npm-trustme workflow init
Doctor: npx npm-trustme doctor
Non-interactive install: npx npm-trustme install --non-interactive ...

Required Target Inputs

Required: --package, --owner, --repo, --workflow
Optional: --publishing-access, --environment, --maintainer

Default inference:

package: package.json#name
owner/repo: git remote origin
workflow: .github/workflows/npm-release.yml or the only workflow file

Examples

Check:

npx npm-trustme check \
  --package <PACKAGE_NAME> \
  --owner <GITHUB_OWNER> \
  --repo <GITHUB_REPO> \
  --workflow <WORKFLOW_FILE> \
  --publishing-access <PUBLISHING_ACCESS>

Ensure (create if missing):

npx npm-trustme ensure \
  --package <PACKAGE_NAME> \
  --owner <GITHUB_OWNER> \
  --repo <GITHUB_REPO> \
  --workflow <WORKFLOW_FILE> \
  --publishing-access <PUBLISHING_ACCESS> \
  --yes

Non-interactive install (single package):

npx npm-trustme install --non-interactive \
  --package <PACKAGE_NAME> \
  --owner <GITHUB_OWNER> \
  --repo <GITHUB_REPO> \
  --workflow <WORKFLOW_FILE> \
  --publishing-access disallow-tokens \
  --headless \
  --storage ~/.npm-trustme/storage.json

Non-interactive install (monorepo):

npx npm-trustme install --non-interactive \
  --all-packages \
  --owner <GITHUB_OWNER> \
  --repo <GITHUB_REPO> \
  --workflow npm-release.yml \
  --publishing-access disallow-tokens

Targets file (JSON/YAML):

targets:
  - packageName: my-pkg
    owner: my-org
    repo: my-repo
    workflow: npm-release.yml
    environment: npm
    publishingAccess: disallow-tokens

Workflow write in non-interactive install:

npx npm-trustme install --non-interactive \
  --workflow-init \
  --workflow-file npm-release.yml \
  --workflow-pm pnpm \
  --workflow-node 24 \
  --workflow-trigger release \
  --workflow-dispatch true \
  --workflow-build-command "pnpm build" \
  --workflow-publish-command "npm publish --access public --provenance"

Dedicated Chrome (keeps main browser open):

npx npm-trustme chrome start
npx npm-trustme ensure --yes

Notes

--env-file can load a specific .env path.
--storage can persist Playwright storage state for faster re-runs.
Inline cookies (Sweet Cookie format) are supported: --inline-cookies-json, --inline-cookies-base64, or --inline-cookies-file.
Requires Node >= 22 (Sweet Cookie uses node:sqlite).
Chrome profile reuse (manual session): --chrome-profile / --chrome-profile-dir / --chrome-user-data-dir / --chrome-path.
Connect to an existing Chrome: --chrome-cdp-url or --chrome-debug-port (Chrome must be launched with remote debugging).
Cookie import: --import-cookies (default true) to copy npm cookies from your main Chrome profile.
npm-trustme ensure prompts for confirmation; use --yes in automated/agent runs.
npm-trustme install --non-interactive requires all target fields; use --targets-file for per-package overrides.
For headless runs, provide --storage or inline cookies to avoid interactive login/2FA.

npm-trustme

npm-trustme

Overview

CLI Quick Start

Required Target Inputs

Examples

Notes

More from this repository

npm-trustme

Overview

CLI Quick Start

Required Target Inputs

Examples

Notes

More from this repository