GitHub Action for publishing npm packages with pnpm and creating GitHub releases.
Authenticate either with an npm_token or, by omitting it, via OIDC trusted
publishing — no token to rotate or
expire. For OIDC, configure a Trusted Publisher for the package on npm (pointing
at this repo + workflow) and grant the job permissions: id-token: write (the
reusable workflow already does). When npm_token is empty the action takes the
OIDC path automatically.
# .github/workflows/release.yml
name: Release
on:
push:
tags: ['v*']
jobs:
release:
uses: runsascoded/pnpm-release/.github/workflows/release.yml@v1
# OIDC trusted publishing (recommended): omit `secrets` entirely.
# Token auth: pass `secrets: { npm_token: ${{ secrets.NPM_TOKEN }} }`.# .github/workflows/release.yml
name: Release
on:
push:
tags: ['v*']
jobs:
release:
runs-on: ubuntu-latest
permissions:
contents: write
id-token: write
steps:
- uses: runsascoded/pnpm-release@v1
# OIDC trusted publishing (recommended): drop the `with:` block.
# Token auth: add `with: { npm_token: ${{ secrets.NPM_TOKEN }} }`.- Checks out your code at the tag
- Sets up pnpm and Node.js, installs dependencies
- Runs your build command (default:
pnpm run build) - Publishes to npm with
pnpm publish— token auth ifnpm_tokenis set, else OIDC trusted publishing - Creates a GitHub release with auto-generated release notes
- Outputs links to NPM and GitHub releases (in logs and as workflow annotations)
| Input | Description | Default |
|---|---|---|
npm_token |
NPM authentication token. Omit for OIDC trusted publishing (needs id-token: write + a Trusted Publisher configured on npm). |
'' |
node_version |
Node.js version | '20' |
pnpm_version |
pnpm version | '10' |
build_command |
Build command to run | 'pnpm run build' |
publish_args |
Additional args for pnpm publish |
'--access public --no-git-checks' |
Just push a tag:
git tag v1.0.0
git push origin v1.0.0The action handles building, publishing to npm, and creating the GitHub release with auto-generated notes.
- pnpm-dist - Sibling action for building and maintaining npm package distribution branches
MIT