Skip to content

[WIP] Add GitHub Actions workflow for npm authentication and release #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[WIP] Add GitHub Actions workflow for npm authentication and release #2

Copilot wants to merge 2 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Oct 17, 2025
edited
Loading

  • Analyze existing npm-publish.yml workflow file
  • Update workflow to add NPM_TOKEN and GITHUB_TOKEN environment variables
  • Add workflow_dispatch trigger for manual runs
  • Update permissions to include packages: write and actions: read
  • Add npm auth configuration step that writes token to ~/.npmrc
  • Add token validation in the configure npm auth step
  • Test workflow file syntax
  • Verify all required changes are included

Summary: Adds a GitHub Actions workflow to publish to npm using semantic-release and runtime-authenticated npm credentials.

Why: The current CI fails with "Invalid npm token" and "No GitHub token specified" because the workflow lacks NPM_TOKEN and possibly GH_TOKEN usage. This workflow writes the token at runtime into ~/.npmrc and runs semantic-release, preventing storing sensitive data in the repo and avoiding deprecated always-auth entries in versioned .npmrc files.

Required repository secrets (Settings → Secrets and variables → Actions):

  1. NPM_TOKEN — generate one at https://www.npmjs.com/settings/
Original prompt

This pull request adds a GitHub Actions workflow that configures npm authentication and runs semantic-release to publish packages to npm and create GitHub releases. It also includes guidance in the PR body about adding the required repository secrets and about removing deprecated .npmrc settings.

Changes to introduce:

  1. Add a workflow file .github/workflows/npm-publish.yml that:

    • Triggers on push to the default branch and on manual dispatch.
    • Sets necessary permissions for contents and packages.
    • Uses actions/checkout and actions/setup-node.
    • Writes NPM_TOKEN to ~/.npmrc at runtime (prevents storing tokens in the repo and avoids always-auth in repo .npmrc).
    • Runs npm ci and npx semantic-release with NPM_TOKEN and GITHUB_TOKEN in the environment.

  2. PR body will explain how to add the secrets (NPM_TOKEN and optionally GH_TOKEN), how to generate the npm token, and steps to remove any always-auth from .npmrc if present.

Files to create:

name: Release / Publish to npm

on:
  push:
    branches:
      - main
  workflow_dispatch:

permissions:
  contents: write
  packages: write
  issues: write
  actions: read

jobs:
  release:
    runs-on: ubuntu-latest
    env:
      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'

      - name: Configure npm auth
        run: |
          if [ -z "${NPM_TOKEN}" ]; then
            echo "ERROR: NPM_TOKEN is not set. Add NPM_TOKEN in repository secrets."
            exit 1
          fi
          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
          npm whoami || true

      - name: Install dependencies
        run: npm ci

      - name: Run semantic-release
        run: npx semantic-release
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

PR description (to be used as the pull request body):

  • Summary: Adds a GitHub Actions workflow to publish to npm using semantic-release and runtime-authenticated npm credentials.

  • Why: The current CI fails with "Invalid npm token" and "No GitHub token specified" because the workflow lacks NPM_TOKEN and possibly GH_TOKEN usage. This workflow writes the token at runtime into ~/.npmrc and runs semantic-release, preventing storing sensitive data in the repo and avoiding deprecated always-auth entries in versioned .npmrc files.

  • Required repository secrets (Settings → Secrets and variables → Actions):

    1. NPM_TOKEN — generate one at https://www.npmjs.com/settings//tokens (create an Automation token with publish rights).
    2. (Optional) GH_TOKEN — personal access token if you need more permissions than the default GITHUB_TOKEN. Most cases the default GITHUB_TOKEN is sufficient; the workflow uses GITHUB_TOKEN by default.

  • Notes about .npmrc in the repo:
    If the repository contains a checked-in .npmrc with "always-auth=true" or with a hard-coded token, remove those lines. This workflow writes the token during CI and having always-auth in versioned .npmrc can produce warnings and conflicts.

  • How to test locally before pushing:
    export NPM_TOKEN=your_token
    echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
    npm whoami
    npm ci
    npx semantic-release --dry-run

Please create the PR branch and open a pull request containing the new workflow file and the PR body above. The default base branch should be used (leave base branch unset).

This pull request was created as a result of the following prompt from Copilot chat.

This pull request adds a GitHub Actions workflow that configures npm authentication and runs semantic-release to publish packages to npm and create GitHub releases. It also includes guidance in the PR body about adding the required repository secrets and about removing deprecated .npmrc settings.

Changes to introduce:

  1. Add a workflow file .github/workflows/npm-publish.yml that:

    • Triggers on push to the default branch and on manual dispatch.
    • Sets necessary permissions for contents and packages.
    • Uses actions/checkout and actions/setup-node.
    • Writes NPM_TOKEN to ~/.npmrc at runtime (prevents storing tokens in the repo and avoids always-auth in repo .npmrc).
    • Runs npm ci and npx semantic-release with NPM_TOKEN and GITHUB_TOKEN in the environment.

  2. PR body will explain how to add the secrets (NPM_TOKEN and optionally GH_TOKEN), how to generate the npm token, and steps to remove any always-auth from .npmrc if present.

Files to create:

name: Release / Publish to npm

on:
  push:
    branches:
      - main
  workflow_dispatch:

permissions:
  contents: write
  packages: write
  issues: write
  actions: read

jobs:
  release:
    runs-on: ubuntu-latest
    env:
      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
      GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Use Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          registry-url: 'https://registry.npmjs.org'

      - name: Configure npm auth
        run: |
          if [ -z "${NPM_TOKEN}" ]; then
            echo "ERROR: NPM_TOKEN is not set. Add NPM_TOKEN in repository secrets."
            exit 1
          fi
          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
          npm whoami || true

      - name: Install dependencies
        run: npm ci

      - name: Run semantic-release
        run: npx semantic-release
        env:
          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

PR description (to be used as the pull request body):

  • Summary: Adds a GitHub Actions workflow to publish to npm using semantic-release and runtime-authenticated npm credentials.

  • Why: The current CI fails with "Invalid npm token" and "No GitHub token specified" because the workflow lacks NPM_TOKEN and possibly GH_TOKEN usage. This workflow writes the token at runtime into ~/.npmrc and runs semantic-release, preventing storing sensitive data in the repo and avoiding deprecated always-auth entries in versioned .npmrc files.

  • Required repository secrets (Settings → Secrets and variables → Actions):

    1. NPM_TOKEN — generate one at https://www.npmjs.com/settings//tokens (create an Automation token with publish rights).
    2. (Optional) GH_TOKEN — personal access token if you need more permissions than the default GITHUB_TOKEN. Most cases the default GITHUB_TOKEN is sufficient; the workflow uses GITHUB_TOKEN by default.

  • Notes about .npmrc in the repo:
    If the repository contains a checked-in .npmrc with "always-auth=true" or with a hard-coded token, remove those lines. This workflow writes the token during CI and having always-auth in versioned .npmrc can produce warnings and conflicts.

  • How to test locally before pushing:
    export NPM_TOKEN=your_token
    echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
    npm whoami
    npm ci
    npx semantic-release --dry-run

Please create the PR branch and open a pull request containing the new workflow file and the PR body above. The default base branch should be used (leave base branch unset).

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@sembanski
Add npm-publish workflow with runtime auth and semantic-release
9fcfcbc 
Co-authored-by: 0xgotchi <186452318+0xgotchi@users.noreply.github.com>
Copilot AI requested a review from sembanski October 17, 2025 02:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sembanski sembanski Awaiting requested review from sembanski

Assignees

@sembanski sembanski

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sembanski