You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: README.md
+13-2Lines changed: 13 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -37,9 +37,17 @@ The plugin can be configured in the [**semantic-release** configuration file](ht
37
37
38
38
### npm registry authentication
39
39
40
-
The npm [token](https://docs.npmjs.com/about-access-tokens) authentication configuration is **required** and can be set via [environment variables](#environment-variables).
40
+
### Official Registry
41
41
42
-
Automation tokens are recommended since they can be used for an automated workflow, even when your account is configured to use the [`auth-and-writes` level of 2FA](https://docs.npmjs.com/about-two-factor-authentication#authorization-and-writes).
42
+
When publishing to the [official registry](https://registry.npmjs.org/), it is recommended to publish with authentication that is intended for automation:
43
+
44
+
*[OIDC publishing](https://docs.npmjs.com/trusted-publishers) is recommended when publishing from a CI provider
45
+
*[Granular access tokens](https://docs.npmjs.com/creating-and-viewing-access-tokens#creating-granular-access-tokens-on-the-website) are recommended when publishing from a CI provider that is not supported by npm for OIDC publishing, and can be set via [environment variables](#environment-variables)
46
+
47
+
### Alternative Registries
48
+
49
+
The npm token authentication configuration is **required** and can be set via [environment variables](#environment-variables).
50
+
See the documentation for your registry for details on how to create a token for automation.
43
51
44
52
### npm provenance
45
53
@@ -49,6 +57,9 @@ Since semantic-release wraps the npm publish command, configuring provenance is
49
57
Instead, provenance can be configured through the [other configuration options exposed by npm](https://docs.npmjs.com/generating-provenance-statements#using-third-party-package-publishing-tools).
50
58
Provenance applies specifically to publishing, so our recommendation is to configure under `publishConfig` within the `package.json`.
51
59
60
+
> [!NOTE]
61
+
> When publishing a public package to the official registry with OIDC, [npm provenance is automatically enabled](https://docs.npmjs.com/trusted-publishers#automatic-provenance-generation) and does not require any additional configuration.
62
+
52
63
#### npm provenance on GitHub Actions
53
64
54
65
For package provenance to be signed on the GitHub Actions CI the following permission is required
0 commit comments