Setting up npm provenance with GitHub actions

howto.md

• for the package in your npmjs account set the publishing access to "Require two-factor authentication or an automation or granular access token" (with just two-factor auth publishing will bork).
• in your npmjs account create an automation token (or a 'finegrained' one) and remember the key to paste ...
• under your repo's settings -> secrets and variables -> actions add an NPM_TOKEN and paste the key from your npmjs account in it
• add below workflow files to .github/workflows
• the setup uses npm clean-install (= npm ci) so it needs a package-lock.json
  • change .npmrc so it allows for package locks
  • ensure .gitignore doesn't contain a line for package-locks
  • run npm i to generate the package lock
• commit & push the shebang
• on GitHub create a release (or prerelease)

prerelease.yml

name: publish pre-releases as beta to npmjs
on:
  release:
    types: [prereleased]

jobs:
  publish-as-beta:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22.x
          registry-url: https://registry.npmjs.org
      - run: npm clean-install
      - run: npm publish --provenance --access public --tag beta
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

release.yml

name: publish to npmjs
on:
  release:
    types: [released]

jobs:
  publish-as-latest:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22.x
          registry-url: https://registry.npmjs.org
      - run: npm clean-install
      - run: npm publish --provenance --access public
        env:
          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}