1- name : Check NPM Authentication
1+ name : Check NPM Publishing (Trusted Publishers)
22
33on :
44 workflow_dispatch :
5- inputs :
6- dry_run_publish :
7- description : ' Also run npm publish --dry-run to test full publish flow'
8- required : false
9- default : false
10- type : boolean
5+
6+ # Required for OIDC token exchange with npm
7+ permissions :
8+ contents : read
9+ id-token : write
1110
1211jobs :
13- check-npm-auth :
12+ test-publish :
1413 runs-on : ubuntu-latest
14+ environment : npm-publish
1515
1616 steps :
1717 - uses : actions/checkout@v4
@@ -21,37 +21,40 @@ jobs:
2121 node-version : 22
2222 registry-url : ' https://registry.npmjs.org'
2323
24- - name : Check NPM authentication
25- env :
26- NODE_AUTH_TOKEN : ${{ secrets.NPM_TOKEN }}
24+ - name : Build package
25+ working-directory : src
26+ run : |
27+ echo "📦 Building package..."
28+ npm ci
29+ npm run build
30+
31+ - name : Test publish with provenance (dry-run)
32+ working-directory : src/dist
2733 run : |
28- echo "🔐 Checking NPM authentication..."
34+ echo "🔐 Testing Trusted Publishers + Provenance (dry-run)..."
35+ echo "---"
36+ echo "This will:"
37+ echo " 1. Request OIDC token from GitHub"
38+ echo " 2. Exchange it with npm for temporary credentials"
39+ echo " 3. Generate provenance attestation"
40+ echo " 4. Simulate publish (without actually publishing)"
2941 echo "---"
3042
31- if npm whoami ; then
43+ if npm publish --provenance --dry-run ; then
3244 echo "---"
33- echo "✅ NPM authentication successful!"
34- echo "You are logged in and ready to publish."
45+ echo "✅ Trusted Publishers setup is working!"
46+ echo "✅ Provenance generation successful!"
47+ echo "✅ Ready to publish for real."
3548 else
3649 echo "---"
37- echo "❌ NPM authentication failed!"
38- echo "The NPM_TOKEN secret may be invalid or revoked."
39- echo "Please generate a new token at https://www.npmjs.com/settings/tokens"
50+ echo "❌ Publish dry-run failed!"
51+ echo ""
52+ echo "Possible causes:"
53+ echo " 1. Trusted Publisher not configured on npmjs.com"
54+ echo " → Go to: https://www.npmjs.com/package/angular-cli-ghpages/access"
55+ echo " → Add Trusted Publisher: angular-schule/angular-cli-ghpages"
56+ echo " 2. Workflow filename mismatch"
57+ echo " → Ensure npmjs.com has: check-npm-auth.yml"
58+ echo " 3. Repository/owner mismatch"
4059 exit 1
4160 fi
42-
43- - name : Test publish (dry-run)
44- if : ${{ inputs.dry_run_publish }}
45- env :
46- NODE_AUTH_TOKEN : ${{ secrets.NPM_TOKEN }}
47- working-directory : src
48- run : |
49- echo "📦 Building package..."
50- npm ci
51- npm run build
52-
53- echo "🧪 Testing publish (dry-run)..."
54- cd dist
55- npm publish --dry-run
56-
57- echo "✅ Dry-run publish successful!"
0 commit comments