npm
[BUG] OIDC publish failing from GitHub actions
Is there an existing issue for this?
- [x] I have searched the existing issues
This issue exists in the latest npm version
- [x] I am using the latest npm
Current Behavior
My publishing workflow for a nested package is failing with the following error:
npm error code E404
npm error 404 Not Found - PUT https://registry.npmjs.org/@sass%2ftypes - Not found
npm error 404
npm error 404 The requested resource '@sass/[email protected]' could not be found or you do not have permission to access it.
npm error 404
npm error 404 Note that you can also install from a
npm error 404 tarball, folder, http url, or git url.
You can see the wokflow here. It's invoked from ci.yml here.
I've verified that it's not the following gotchas:
-
The workflow is upgrading to the latest npm (line 119).
-
The workflow has the
id-token: writepermissions (line 40 of ci.yml). -
The trusted publisher settings are pointing to the correct repo and the filename of the parent workflow:
Expected Behavior
I would expect npm publish to succeed and publish the package using OIDC.
Steps To Reproduce
Rerunning the GitHub Actions workflow reproduces this consistently
Environment
- npm: Whatever
npm@latestwas at time of posting - Node.js: 24.11.0
- OS Name: Ubuntu Linux
- System Model Name: GitHub actions runner
- npm config: GitHub actions default
Same here https://github.com/macalbert/envilder/actions/runs/19404399928/job/55517129647
@nex3,
There are a few things that I added to the workflow, to get it to work. I'm not sure which one is important in your case:
package.jsonadded:"provenance": true"publishConfig": { "access": "public", "provenance": true },- To the workflow:
env: NPM_CONFIG_PROVENANCE: true- run: npm publish env: NPM_CONFIG_PROVENANCE: true
Here is a link to a successful run: https://github.com/streetsidesoftware/jest-mock-vscode/actions/runs/19406225809/job/55521264235
In this case I used Node 24.x and NPM version 11.6.2. Node 22.x did not work for me.
I'm not sure if this will help.
Thanks for the tip, @Jason3S. Passing --provenance to npm publish and setting "repo" to the repository that I was publishing from allowed me to deploy successfully.
Perhaps this should be added to the documentation?
Using Node version 24 (instead of version 20 specified in the examples) and passing --provenance to npm publish work for me.
Btw, I noticed that --provenance is required only when publishing from a repository for the first time. After that, it can be removed.
If anyone else is failing because of this, the GitHub username is case-sensitive.
I had this same error, but what fixed it for me was bumping to node 24. I did not need to set publishConfig in package.json. Using node 20 (as in the docs) seems to use npm 10 by default:
Environment details
node: v20.19.6
npm: 10.8.2
yarn: 1.22.22
::endgroup::
And the npm docs do say you need npm 11.5.1 or higher. (But confusingly, they also use v20 in their examples which does not ship with that necessary version.)
Bumping to node 24 is all I needed to get a successful publish.
We also had this error, and it took a little bit to realise I made a typo when connecting the workflow in npm UI.
The way it's presented in npm after saving (showing the repo name and workflow file with a GitHub icon) made me sure, the npm actually verifies at least existence of that workflow file. Apparently, it doesn't, it doesn't even check if the repo exists or not.
So yes folks, please double check your trusted publisher settings!
If anyone else is failing because of this, the GitHub username is case-sensitive.
My username is upper-case. I had to set it upper-case both in the Trusted Publisher config on npmjs.com and go back and upper-case it in repository.url in my package.json.
node version / npm version
Per https://github.com/orgs/community/discussions/173102#discussioncomment-14751214, I also manually ensured that a new-enough NPM version was installed.
Together, that got it working.
i have the same error in my example repo : https://github.com/samuel-gomez/test-github-actions/actions/runs/20104815258/job/57685498218
I try to publish a new package
i have the same error in my example repo : samuel-gomez/test-github-actions/actions/runs/20104815258/job/57685498218
I try to publish a new package
I noticed this log in your workflow:
npm notice Access token expired or revoked
You might want to switch to npm OIDC publishing instead of using a token — it avoids token expiration and secret management entirely.
After a very frustrating day and lots of churn, I finally got OIDC publication from GitHub working. Here are my results. I hope this helps someone, and I hope NPM updates their documentation to match what I'm seeing.
To make OIDC work from GitHub to NPM, we must:
- set the required permission
id-token: write(as documented) - update npm to 11.5.1+ (as documented)
- update to node 24 (not documented, and contradicting examples from npm docs that use node 20)
- set matching repository.url in package.json (not documented, and relevant to forks that have only changed the package name)
Some things that people suggested in forums, but which are not helpful:
- disabling "Require two-factor authentication for write actions" in your account settings (no effect)
- selecting "Require two-factor authentication or a granular access token with bypass 2fa enabled" in package settings (no effect)
- passing --provenance to npm publish (no effect)
Some tips from my day of struggle yesterday:
- If you are using Lerna to publish, OIDC is only supported from v9. Check your version
- Even on v9, I still was getting E404 errors. What ended up working for me was using
npx lerna exec --no-private -- npm publish --access public- to force the use of the npm binary to publish, rather than Lerna'spublishcommand. - Make extra sure that the config on the npm side is pointing to the correct workflow yaml file.
