-
ContextNPM's Trusted Publishers lets you publish via CI/CD using OIDC instead of long-lived tokens, improving security with automatic provenance and shorter credential lifetimes. Issue:I was previously able to successful publish to NPM with the following config: ...
npms:
- id: run-mcp
name: "@ensignia/run-mcp"
description: A fast, portable, single-binary security scanner for the Model Context Protocol (MCP).
homepage: https://github.com/ensigniasec/run-mcp
keywords:
- cli
- golang
- mcp
- security
- scanner
license: Apache-2.0
author: Ensignia Security [email-protected]
repository: https://github.com/ensigniasec/run-mcp
bugs: https://github.com/ensigniasec/run-mcp/issues
access: public
format: tar.gz
...However, after enabling NPM's Trusted Publishers and following the steps to require two factor auth and disable access tokens, I seem to be trapped between failures when I submit with an and failures when I submit without an Workaround:Downgrading to long-lived tokens allowed this workflow to succeed. Under Package → Settings → Publishing access Questions:
|
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
On further testing, I can't repro the error & goreleaser does currently support Trusted Publishers workflow: https://github.com/frenchi/test-goreleaser-npm-trusted |
Beta Was this translation helpful? Give feedback.

On further testing, I can't repro the error & goreleaser does currently support Trusted Publishers workflow: https://github.com/frenchi/test-goreleaser-npm-trusted