Skip to main content

Publishing modes

This action supports three publishing modes via the publish-mode input:

  • token (default): Uses classic npm token auth. Supports MFA via Optic/ngrok OTP. Requires npm-token and optionally optic-token or ngrok-token.
  • oidc: Uses npm Trusted Publishing with OIDC; no npm token or OTP needed. Requires workflow OIDC permissions and package Trusted Publisher configuration on npm.
  • none: Skips npm publish entirely and only performs the orchestration (bump/PR/release/tags).

OIDC (Trusted Publishing)

Requirements (must be configured in your workflow/repo):

  • npm CLI: v11.5.1 or later.
  • Workflow permissions: permissions: id-token: write for the job that publishes.
  • Trusted Publisher on npm: Configure your package on npmjs.com to trust your specific GitHub workflow (org/repo/workflow/environment).
  • Provenance: npm automatically generates provenance in trusted publishing; you do not need to pass --provenance or set provenance: true.

Reference: npm Trusted Publishing Docs.

Example workflow snippet (OIDC):

jobs:
  release:
    runs-on: ubuntu-latest
    permissions:
      contents: write
      id-token: write
    steps:
      - uses: actions/checkout@v5
      - uses: nearform-actions/optic-release-automation-action@v4
        with:
          semver: patch
          publish-mode: oidc

Notes:

  • Do not set npm-token, optic-token, or ngrok-token when using OIDC.
  • access (e.g. public/restricted) is still honored and passed to npm publish.
  • If you set provenance: true with OIDC, the action will not add --provenance because npm handles it automatically.

Token mode (classic)

This is the default mode and maintains backward compatibility with existing workflows.

Example workflow snippet (token):

jobs:
  release:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v5
      - uses: nearform-actions/optic-release-automation-action@v4
        with:
          semver: patch
          publish-mode: token # optional, it defaults to token
          npm-token: ${{ secrets.NPM_TOKEN }}
          # Optional for MFA flows
          optic-token: ${{ secrets.OPTIC_TOKEN }}
          ngrok-token: ${{ secrets.NGROK_TOKEN }}
          # Optional
          provenance: false

Backward compatibility

If publish-mode is omitted, the action behaves as before (token mode).