Document npm trusted publishers (#616)

jtpio · pre-commit-ci[bot] · web-flow · commit 28d08b1ad3d9 · 2025-12-02T09:27:55.000Z
* Document npm truster publishers * [pre-commit.ci] auto fixes from pre-commit.com hooks for more information, see https://pre-commit.ci * Log when there is no npm token * cleanup * More cleanup * specify with setup-node --------- Co-authored-by: pre-commit-ci[bot] <66853113+pre-commit-ci[bot]@users.noreply.github.com>
diff --git a/.github/workflows/check-release.yml b/.github/workflows/check-release.yml
@@ -15,8 +15,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - name: Install Dependencies
         shell: bash
         run: |
diff --git a/.github/workflows/generate-changelog.yml b/.github/workflows/generate-changelog.yml
@@ -32,8 +32,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - name: Install Dependencies
         shell: bash
         run: |
diff --git a/.github/workflows/prep-release.yml b/.github/workflows/prep-release.yml
@@ -32,8 +32,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - name: Install Dependencies
         shell: bash
         run: |
diff --git a/.github/workflows/prep-self-release.yml b/.github/workflows/prep-self-release.yml
@@ -31,8 +31,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - name: Install Dependencies
         shell: bash
         run: |
diff --git a/.github/workflows/publish-changelog.yml b/.github/workflows/publish-changelog.yml
@@ -16,8 +16,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
 
       - name: Install Dependencies
         shell: bash
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
@@ -21,8 +21,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - name: Install Dependencies
         shell: bash
         run: |
diff --git a/.github/workflows/publish-self-release.yml b/.github/workflows/publish-self-release.yml
@@ -21,8 +21,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - name: Install Dependencies
         shell: bash
         run: |
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -20,8 +20,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - name: Run Linters
         run: |
           hatch run typing:test
@@ -34,8 +32,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - uses: jupyterlab/maintainer-tools/.github/actions/check-links@v1
         with:
           ignore_links: https://blog.jupyter.org/.*
@@ -50,8 +46,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
 
       - name: Run the tests with coverage on Ubuntu
         if: ${{ matrix.os == 'ubuntu-latest' }}
@@ -78,8 +72,6 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - env:
           GITHUB_ACCESS_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           RH_REPOSITORY: jupyter-server/jupyter_releaser
@@ -111,7 +103,6 @@ jobs:
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
         with:
           dependency_type: minimum
-          node_version: "24.x"
       - name: Run the unit tests
         run: |
           hatch run test:nowarn || hatch run test:nowarn --lf
@@ -126,7 +117,6 @@ jobs:
         with:
           dependency_type: pre
           python_version: "3.12"
-          node_version: "24.x"
       - name: Run the tests
         run: |
           hatch run test:nowarn || hatch run test:nowarn --lf
@@ -137,17 +127,13 @@ jobs:
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
       - run: hatch run docs:build
 
   check_local_actions:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
       - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
-        with:
-          node_version: "24.x"
 
       - name: prep-release
         uses: ./.github/actions/prep-release
diff --git a/docs/source/get_started/making_release_from_releaser.md b/docs/source/get_started/making_release_from_releaser.md
@@ -49,9 +49,40 @@ already uses Jupyter Releaser.
 
 </details>
 
-- If the repo generates npm release(s), add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` in "Secrets".
+- If the repo generates npm release(s), set up npm:
 
-> If you want to set _provenance_ on your package, you need to ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)).
+<details><summary>Using npm Trusted Publishers (recommended)</summary>
+
+- npm Trusted Publishers is supported with npm >= 11.5.1
+
+- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements))
+
+- Set up the Node.js version in your workflow using one of these approaches:
+
+  Using the `base-setup` action from `jupyterlab/maintainer-tools`:
+
+  ```yaml
+  - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+  ```
+
+  Or using the standard `setup-node` action:
+
+  ```yaml
+  - uses: actions/setup-node@v6
+    with:
+      node-version: "24.x"
+  ```
+
+- With Trusted Publishers enabled, npm packages will be published without needing to store an `NPM_TOKEN` secret
+
+</details>
+
+<details><summary>Using NPM_TOKEN (legacy way)</summary>
+
+- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN` in "Secrets"
+- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions))
+
+</details>
 
 ## Prep Release
 
diff --git a/docs/source/how_to_guides/convert_repo_from_releaser.md b/docs/source/how_to_guides/convert_repo_from_releaser.md
@@ -10,7 +10,7 @@ See checklist below for details:
 - Bump version configuration (if using Python), for example [tbump](https://github.com/dmerejkowsky/tbump)
 - [Access token](https://docs.github.com/en/github/authenticating-to-github/creating-a-personal-access-token) with access to target GitHub repo to run GitHub Actions.
 - Access token for the [PyPI registry](https://packaging.python.org/guides/publishing-package-distribution-releases-using-github-actions-ci-cd-workflows/#saving-credentials-on-github)
-- If needed, access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens).
+- If publishing to npm, we recommend using [npm Trusted Publishers](https://docs.npmjs.com/trusted-publishers) (requires npm >= 11.5.1, available via Node.js >= 24). Otherwise, create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens).
 
 ## Checklist for Adoption
 
@@ -54,9 +54,40 @@ A. Prep the `jupyter_releaser` fork:
 
 </details>
 
-- [ ] If needed, add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`.
+- [ ] Set up npm (if publishing to npm):
 
-> If you want to set _provenance_ on your package, you need to ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions)).
+<details><summary>Using npm Trusted Publishers (recommended)</summary>
+
+- npm Trusted Publishers is supported with npm >= 11.5.1
+
+- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements))
+
+- Set up the Node.js version in your workflow using one of these approaches:
+
+  Using the `base-setup` action from `jupyterlab/maintainer-tools`:
+
+  ```yaml
+  - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+  ```
+
+  Or using the standard `setup-node` action:
+
+  ```yaml
+  - uses: actions/setup-node@v6
+    with:
+      node-version: "24.x"
+  ```
+
+- With Trusted Publishers enabled, npm packages will be published with provenance automatically, without needing to store an `NPM_TOKEN` secret
+
+</details>
+
+<details><summary>Using NPM_TOKEN (legacy way)</summary>
+
+- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`
+- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions))
+
+</details>
 
 B. Prep target repository:
 
diff --git a/docs/source/how_to_guides/convert_repo_from_repo.md b/docs/source/how_to_guides/convert_repo_from_repo.md
@@ -9,7 +9,7 @@ See checklist below for details:
 - Markdown changelog
 - Bump version configuration (if using Python), for example [hatch](https://hatch.pypa.io/latest/)
 - [Add a trusted publisher](https://docs.pypi.org/trusted-publishers/adding-a-publisher/) to your PyPI project
-- If needed, access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens).
+- If publishing to npm, we recommend using [npm Trusted Publishers](https://docs.npmjs.com/trusted-publishers) (requires npm >= 11.5.1, available via Node.js >= 24). Otherwise, create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens).
 
 ## Checklist for Adoption
 
@@ -47,8 +47,41 @@ See checklist below for details:
       _environment_ should be `release` (the name of the GitHub environment).
   - Ensure the publish release job as `permissions`: `id-token : write` (see the [documentation](https://docs.pypi.org/trusted-publishers/using-a-publisher/))
 
-- [ ] If needed, add access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`. Again this should
-  be created using a machine account that only has publish access.
+- [ ] Set up npm (if publishing to npm):
+
+<details><summary>Using npm Trusted Publishers (recommended)</summary>
+
+- npm Trusted Publishers is supported with npm >= 11.5.1
+
+- Ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements))
+
+- Set up the Node.js version in your workflow using one of these approaches:
+
+  Using the `base-setup` action from `jupyterlab/maintainer-tools`:
+
+  ```yaml
+  - uses: jupyterlab/maintainer-tools/.github/actions/base-setup@v1
+  ```
+
+  Or using the standard `setup-node` action:
+
+  ```yaml
+  - uses: actions/setup-node@v6
+    with:
+      node-version: "24.x"
+  ```
+
+- With Trusted Publishers enabled, npm packages will be published with provenance automatically, without needing to store an `NPM_TOKEN` secret
+
+</details>
+
+<details><summary>Using NPM_TOKEN (legacy way)</summary>
+
+- Create an access token for [npm](https://docs.npmjs.com/creating-and-viewing-access-tokens), saved as `NPM_TOKEN`
+- This should be created using a machine account that only has publish access
+- If you want to set _provenance_ on your package, you need to ensure the publish release job has `permissions`: `id-token: write` (see the [documentation](https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions))
+
+</details>
 
 - [ ] Ensure that only trusted users with 2FA have admin access to the repository, since they will be able to trigger releases.
 
diff --git a/docs/source/reference/theory.md b/docs/source/reference/theory.md
@@ -17,7 +17,7 @@ This project should help maintainers reduce toil and save time in the release pr
 
 We strive to use the most secure release practices possible, reflected in the `Checklist for Adoption`
 and the example workflows.
-This includes using PyPI Trusted Publishing, using GitHub Environments, encouraging the use of Rulesets and GitHub Apps with limited bypass capability, and provenance data for npm.
+This includes using PyPI Trusted Publishing, npm Trusted Publishers (with npm >= 11.5.1), using GitHub Environments, encouraging the use of Rulesets and GitHub Apps with limited bypass capability, and provenance data for npm.
 In addition, there is an automatic check for whether the user who triggered the action is an admin.
 
 ## Action Details
diff --git a/jupyter_releaser/npm.py b/jupyter_releaser/npm.py
@@ -1,4 +1,5 @@
 """npm-related utilities."""
+
 # Copyright (c) Jupyter Development Team.
 # Distributed under the terms of the Modified BSD License.
 import json
@@ -153,6 +154,8 @@ def handle_npm_config(npm_token):
         short_reg = registry.replace("https://", "//")
         short_reg = short_reg.replace("http://", "//")
         auth_entry = f"{short_reg}:_authToken={npm_token}"
+    else:
+        util.log("No NPM_TOKEN provided, will attempt to use npm Trusted Publishers if configured")
 
     # Handle existing config
     if npmrc.exists():
@@ -182,13 +185,13 @@ def get_package_versions(version):
     npm_version = data.get("version", "")
     if npm_version != version:
         message += f"\nPython version: {version}"
-        message += f'\nnpm version: {data["name"]}: {npm_version}'
+        message += f"\nnpm version: {data['name']}: {npm_version}"
     if "workspaces" in data:
         message += "\nnpm workspace versions:"
         for path in _get_workspace_packages(data):
             text = path.joinpath("package.json").read_text(encoding="utf-8")
             data = json.loads(text)
-            message += f'\n{data["name"]}: {data.get("version", "")}'
+            message += f"\n{data['name']}: {data.get('version', '')}"
     return message
 
 
