npm
[BUG] `npm publish --provenance` The default value `public` isn't used
Is there an existing issue for this?
- [X] I have searched the existing issues
This issue exists in the latest npm version
- [X] I am using the latest npm
Current Behavior
$ npm publish --provenance
...
npm notice Publishing to https://registry.npmjs.org/ with tag latest and default access
npm error code EUSAGE
npm error Can't generate provenance for new or private package, you must set `access` to public.
Expected Behavior
npm should use the default value public (npm-publish --access) when publish a new package.
Steps To Reproduce
name: Release
on:
push:
branches: [main]
jobs:
release-please:
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
id-token: write
steps:
- name: Run Release Please
uses: googleapis/release-please-action@v4
id: release
with:
release-type: node
# Si la release a été créée : publier le paquet dans npm.
- name: Checkout repository
if: ${{ steps.release.outputs.release_created }}
uses: actions/checkout@v4
- name: Setup Node.js
if: ${{ steps.release.outputs.release_created }}
uses: actions/setup-node@v4
with:
node-version: 20
registry-url: https://registry.npmjs.org
- name: Install dependencies
if: ${{ steps.release.outputs.release_created }}
run: npm ci
- name: Publish in npm
if: ${{ steps.release.outputs.release_created }}
run: npm publish --provenance
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
Environment
- npm: 10.8.1
- Node.js: v20.16.0
- OS Name: Ubuntu 22.04.4 LTS
- System Model Name:
- npm config:
; copy and paste output from `npm config ls` here
@regseb If you are publishing a package for the first time you will also need to explicitly set access to public. Checkout this documentation for more information. https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
The documentation indicates that the default value for new packages is 'public'. Why do you need to set this value? It's strange to pass the default value; you feel like removing it because it seems useless.
- Default: 'public' for new packages, existing packages it will not change the current level
- Type: null, "restricted", or "public"
@regseb You'll have to do this for the first time and it will keep the same access for next publishes.
@regseb If you are publishing a package for the first time you will also need to explicitly set access to public. Checkout this documentation for more information. https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
If access 'public' should be specified for a new package: the documentation is wrong.
- Default: 'public' for new packages, existing packages it will not change the current level
+ Default: no default value for new packages (value must be specified), existing packages it will not change the current level
Access level defaults to public for unscoped packages; it’s only for scoped packages that you need to specify it the first time. (for normal publishing, unrelated to provenance)
for unscoped packages the default access would be public but when published with provenance you need to specify it as mentioned in this documentation. https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
for scoped packages checkout this documentation https://docs.npmjs.com/creating-and-publishing-scoped-public-packages#publishing-scoped-public-packages
By default, scoped packages are published with private visibility. To publish a scoped package with public visibility, use npm publish --access public.