Skip to content

Commit f96bfad

Browse files
mrgrainmrgrain
authored
feat: Trusted Publishing to npmjs.com (#1705)
feat: add NPM_TRUSTED_PUBLISHER support for npm publishing
1 parent 3f779c6 commit f96bfad

File tree

2 files changed

+27
-20
lines changed

2 files changed

+27
-20
lines changed

README.md

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,7 @@ npx publib-npm [DIR]
6969
| Option | Required | Description |
7070
| ----------------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
7171
| `NPM_TOKEN` | Optional | Registry authentication token (either [npm.js publishing token](https://docs.npmjs.com/creating-and-viewing-authentication-tokens) or a [GitHub personal access token](https://help.github.com/en/packages/using-github-packages-with-your-projects-ecosystem/configuring-npm-for-use-with-github-packages#authenticating-to-github-packages)), not used for AWS CodeArtifact |
72+
| `NPM_TRUSTED_PUBLISHER` | Optional | Use a [Trusted Publisher](https://docs.npmjs.com/trusted-publishers) configuration to publish packages. Requires npm CLI version 11.5.1 or later. When set, `NPM_TOKEN` will be ignored. |
7273
| `NPM_REGISTRY` | Optional | The registry URL (defaults to "registry.npmjs.org"). Use "npm.pkg.github.com" to publish to GitHub Packages. Use repository endpoint for AWS CodeAtifact, e.g. "my-domain-111122223333.d.codeartifact.us-west-2.amazonaws.com/npm/my_repo/". |
7374
| `NPM_DIST_TAG` | Optional | Registers the published package with the given [dist-tag](https://docs.npmjs.com/cli/dist-tag) (e.g. `next`, default is `latest`) |
7475
| `NPM_ACCESS_LEVEL` | Optional | Publishes the package with the given [access level](https://docs.npmjs.com/cli/v8/commands/npm-publish#access) (e.g. `public`, default is `restricted` for scoped packages and `public` for unscoped packages) |
@@ -107,23 +108,22 @@ npx publib-maven [DIR]
107108

108109
The server type is selected using the `MAVEN_SERVER_ID` variable.
109110

110-
- `MAVEN_SERVER_ID=ossrh`; this is currently the default but will stop working in July 2025. Publish to the old OSSRH Nexus server.
111-
- `MAVEN_SERVER_ID=central-ossrh`; publish to the new Central Publishing platform using a service endpoint more-or-less compatible with the old OSSRH Nexus server. This is required to publish to Maven Central starting July 2025.
112-
- `MAVEN_SERVER_ID=<anything else>`; publish to a custom Nexus server.
113-
114-
115-
| Server | Option | Required | Description |
116-
|----------------------| --------------------------------------- | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
117-
| (all) | `MAVEN_SERVER_ID` | Yes going forward | Either `ossrh` (default but deprecated), `central-ossrh`, or any other string for a custom Nexus server. |
118-
| (all) | `MAVEN_USERNAME` and `MAVEN_PASSWORD` | Yes | Username and password for maven repository. For Maven Central, you will need to [Create JIRA account](https://issues.sonatype.org/secure/Signup!default.jspa) and then request a [new project](https://issues.sonatype.org/secure/CreateIssue.jspa?issuetype=21&pid=10134). Read the [OSSRH guide](https://central.sonatype.org/pages/ossrh-guide.html) for more details. |
119-
| (all) | `MAVEN_DRYRUN` | No | Set to "true" for a dry run |
120-
| (all) | `MAVEN_VERBOSE` | No | Make Maven print debug output if set to `true` |
121-
| `central-ossrh` | `MAVEN_GPG_PRIVATE_KEY[_FILE]` and `MAVEN_GPG_PRIVATE_KEY_PASSPHRASE` | Yes | GPG private key or file that includes it. This is used to sign your Maven packages. See instructions below |
122-
| `central-ossrh` | `MAVEN_ENDPOINT` | No | URL of Nexus repository. Defaults to `https://ossrh-staging-api.central.sonatype.com/`. |
123-
| `<custom>` | `MAVEN_REPOSITORY_URL` | No | Deployment repository when not deploying to Maven Central |
124-
| `ossrh` (deprecated) | `MAVEN_GPG_PRIVATE_KEY[_FILE]` and `MAVEN_GPG_PRIVATE_KEY_PASSPHRASE` | Yes | GPG private key or file that includes it. This is used to sign your Maven packages. See instructions below |
125-
| `ossrh` (deprecated) | `MAVEN_STAGING_PROFILE_ID` | Yes | Central Publisher (sonatype) staging profile ID, corresponding to namespace (e.g. `com.sonatype.software`). |
126-
| `ossrh` (deprecated) | `MAVEN_ENDPOINT` | No | URL of Nexus repository. Defaults to `https://central.sonatype.com`. |
111+
* `MAVEN_SERVER_ID=ossrh`; this is currently the default but will stop working in July 2025. Publish to the old OSSRH Nexus server.
112+
* `MAVEN_SERVER_ID=central-ossrh`; publish to the new Central Publishing platform using a service endpoint more-or-less compatible with the old OSSRH Nexus server. This is required to publish to Maven Central starting July 2025.
113+
* `MAVEN_SERVER_ID=<anything else>`; publish to a custom Nexus server.
114+
115+
| Server | Option | Required | Description |
116+
| -------------------- | --------------------------------------------------------------------- | ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
117+
| (all) | `MAVEN_SERVER_ID` | Yes going forward | Either `ossrh` (default but deprecated), `central-ossrh`, or any other string for a custom Nexus server. |
118+
| (all) | `MAVEN_USERNAME` and `MAVEN_PASSWORD` | Yes | Username and password for maven repository. For Maven Central, you will need to [Create JIRA account](https://issues.sonatype.org/secure/Signup!default.jspa) and then request a [new project](https://issues.sonatype.org/secure/CreateIssue.jspa?issuetype=21&pid=10134). Read the [OSSRH guide](https://central.sonatype.org/pages/ossrh-guide.html) for more details. |
119+
| (all) | `MAVEN_DRYRUN` | No | Set to "true" for a dry run |
120+
| (all) | `MAVEN_VERBOSE` | No | Make Maven print debug output if set to `true` |
121+
| `central-ossrh` | `MAVEN_GPG_PRIVATE_KEY[_FILE]` and `MAVEN_GPG_PRIVATE_KEY_PASSPHRASE` | Yes | GPG private key or file that includes it. This is used to sign your Maven packages. See instructions below |
122+
| `central-ossrh` | `MAVEN_ENDPOINT` | No | URL of Nexus repository. Defaults to `https://ossrh-staging-api.central.sonatype.com/`. |
123+
| `<custom>` | `MAVEN_REPOSITORY_URL` | No | Deployment repository when not deploying to Maven Central |
124+
| `ossrh` (deprecated) | `MAVEN_GPG_PRIVATE_KEY[_FILE]` and `MAVEN_GPG_PRIVATE_KEY_PASSPHRASE` | Yes | GPG private key or file that includes it. This is used to sign your Maven packages. See instructions below |
125+
| `ossrh` (deprecated) | `MAVEN_STAGING_PROFILE_ID` | Yes | Central Publisher (sonatype) staging profile ID, corresponding to namespace (e.g. `com.sonatype.software`). |
126+
| `ossrh` (deprecated) | `MAVEN_ENDPOINT` | No | URL of Nexus repository. Defaults to `https://central.sonatype.com`. |
127127

128128
**How to create a GPG key**
129129

bin/publib-npm

Lines changed: 10 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -10,6 +10,7 @@ set -eu
1010
# DIR: directory where npm tarballs are found (default is `dist/js`).
1111
#
1212
# NPM_TOKEN (optional): registry authentication token (either from npmjs or a GitHub personal access token), not used for AWS CodeArtifact
13+
# NPM_TRUSTED_PUBLISHER (optional): use a Trusted Publisher configuration instead of tokens, any value
1314
# NPM_REGISTRY (optional): the registry URL (defaults to "registry.npmjs.org")
1415
# AWS_ACCESS_KEY_ID (optional): If AWS CodeArtifact is used as registry, an AWS access key can be spedified.
1516
# AWS_SECRET_ACCESS_KEY (optional): Secret access key that belongs to the AWS access key.
@@ -34,13 +35,19 @@ if ! [ -z "${NPM_REGISTRY:-}" ] && [[ $NPM_REGISTRY =~ .codeartifact.*.amazonaws
3435
export AWS_SESSION_TOKEN="$(echo $credentials | cut -d' ' -f5)"
3536
fi
3637
NPM_TOKEN=`aws codeartifact get-authorization-token --domain $codeartifact_domain --domain-owner $codeartifact_account --region $codeartifact_region --query authorizationToken --output text`
37-
elif [ -z "${NPM_TOKEN:-}" ]; then
38-
echo "NPM_TOKEN is required"
38+
elif [ -z "${NPM_TOKEN:-}" ] && [ -z "${NPM_TRUSTED_PUBLISHER:-}" ]; then
39+
echo "NPM_TOKEN=<token> or NPM_TRUSTED_PUBLISHER=true is required"
3940
exit 1
4041
fi
4142

43+
if ! [ -z "${NPM_TRUSTED_PUBLISHER:-}" ]; then
44+
unset NPM_TOKEN
45+
fi
46+
4247
NPM_REGISTRY=${NPM_REGISTRY:-"registry.npmjs.org"}
43-
echo "//${NPM_REGISTRY%%/}/:_authToken=${NPM_TOKEN}" > ~/.npmrc
48+
if ! [ -z "${NPM_TOKEN:-}" ]; then
49+
echo "//${NPM_REGISTRY%%/}/:_authToken=${NPM_TOKEN}" > ~/.npmrc
50+
fi
4451

4552
# this overrides any registry configuration defined externally. For example, yarn sets the registry to the yarn proxy
4653
# which requires `yarn login`. but since we are logging in through ~/.npmrc, we must make sure we publish directly to npm.

0 commit comments

Comments
 (0)