jsonlee12138/actions-npm
skills/actions-npm/SKILL.md
Use when creating or debugging GitHub Actions workflows that publish npm packages with trusted publishing / OIDC. Triggers on npm publish in CI, ENEEDAUTH, E404 or E422 during publish, tag-triggered releases, setup-node auth behavior, or provenance issues in public vs private GitHub repositories.
$ install --global
skillsauthnpx skillsauth add jsonlee12138/prompts actions-npmInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: May 12, 2026, 7:21 AM108.9s2 files scanned
SKILL.md
- name:
- actions-npm
- description:
- Use when creating or debugging GitHub Actions workflows that publish npm packages with trusted publishing / OIDC. Triggers on npm publish in CI, ENEEDAUTH, E404 or E422 during publish, tag-triggered releases, setup-node auth behavior, or provenance issues in public vs private GitHub repositories.
Actions NPM Publish (Trusted Publishing)
Workflow Template
See assets/release-npm.yml — 可直接复制到 .github/workflows/ 使用。
How It Works
trusted publishing 用 GitHub OIDC 替代长期有效的 NPM_TOKEN:
- workflow 运行在 GitHub-hosted runner 上
- job 具备
permissions.id-token: write - npm /
actions/setup-node用 GitHub OIDC 身份换取发布凭证 npm publish使用该凭证发布
不需要 NPM_TOKEN secret。
Verified Requirements
- workflow 必须在
.github/workflows/ - 必须使用 GitHub-hosted runner
- 必须有
id-token: write - npm trusted publisher 必须精确匹配仓库和 workflow 文件名,例如
release-auth-sdk.yml package.json.repository.url必须匹配 GitHub 仓库 URL- 推荐
actions/setup-node@v6 - 推荐 Node 24;如果保留 Node 22,需确认 npm 已升级到
11.5.1+
Important Gotchas
- 使用
actions/setup-node@v6时,不要再手动设置NODE_AUTH_TOKEN: ""。按实测,这种组合会导致ENEEDAUTH;优先让setup-node自己处理发布凭证。 npm notice Publishing to https://registry.npmjs.org/之后再报E404,通常说明认证已经通过,但 npm 侧的包权限、scope 权限,或 trusted publisher 元数据仍不匹配。E422 ... Unsupported GitHub Actions source repository visibility: "private"表示 private GitHub 仓库不支持--provenance。此时去掉--provenance,保留普通 trusted publishing 即可。- provenance 目前只适用于 public source repository。
Publish Command
- public GitHub repo:
npm publish --provenance --access public - private GitHub repo:
npm publish --access public
Quick Checklist
actions/setup-node@v6node-version: "24"registry-url: https://registry.npmjs.org/- 不配置
NPM_TOKEN - 不手动覆盖
NODE_AUTH_TOKEN - npm 后台 trusted publisher 中的 workflow filename 与实际文件名完全一致
Related Skills
jsonlee12138/makefile
development
VerifiedTrustedCommunity
Use when creating, editing, or validating Makefiles. Provides templates for Go, Node, Python, Docker, and Monorepo projects with self-documenting help targets. Also validates existing Makefiles against conventions. Triggers on: Makefile, makefile, make help, validate makefile, lint makefile.
2SKILL.mdUpdated May 12, 2026
jsonlee12138/claude-design
development
VerifiedTrustedCommunity
Unified design workflow router for critique, accessibility review, developer handoff, design system work, UX copy, user research, and research synthesis. Use when users ask naturally for design feedback, mockup review, a11y audit, handoff specs, UX writing, research planning, research synthesis, or mention Figma, Pencil, or HTML design workflows and should not need to invoke separate sub-skills manually.
2SKILL.mdUpdated May 12, 2026
jsonlee12138/vite-tanstack
tools
VerifiedTrustedCommunity
TanStack (Router/Query/Form/Table) configuration guide for Vite + React projects. Covers Vite plugin setup, main.tsx registration, DevTools configuration, and editor settings. Use when setting up or reviewing TanStack config in a Vite project. Triggers on: vite-tanstack, tanstack config, tanstack router setup, tanstack query setup, tanstack form setup, tanstack table setup.
1SKILL.mdUpdated Apr 17, 2026
jsonlee12138/unocss-shadcn
tools
VerifiedTrustedCommunity
Configure UnoCSS with unocss-preset-shadcn using a semi-automatic, framework-agnostic workflow. Use when setting up or updating UnoCSS + shadcn integration, deciding monorepo vs single-project component destinations, enforcing peerDependencies in monorepos, and requiring shadcn MCP + manual component creation mode.
1SKILL.mdUpdated Apr 17, 2026