This article is a follow-up of a previous article that I wrote couple years ago: How to publish on npm with --provenance
using Lerna-Lite
You can now use OIDC Trusted Publishing to publish your packages to NPM, this process is described on the NPM blog as:
https://docs.npmjs.com/trusted-publishers
Trusted Publishing with OpenID Connect (OIDC) for all users, marking a significant milestone for JavaScript supply chain security. This authentication method eliminates the need for long-lived tokens in CI/CD workflows, replacing them with short-lived, cryptographically-secured credentials that reduce the attack surface for package publishing.
Also note that this process will also publish with Provenance out of the box.
provenance data gives consumers a verifiable way to link a package back to its source repository and the specific build instructions used to publish it
What is Lerna-Lite?
From Lerna's website, it is described as
Lerna is a fast, modern build system for managing and publishing multiple JavaScript/TypeScript packages from the same repository.
Lerna-Lite is a lighter version of Lerna (every commands are optional in Lerna-Lite) as opposed to Lerna which is a "all-in-one" tool. Another difference is that the newest Lerna version has Nx as a dependency, but on the other hand Lerna-Lite does not require neither use Nx.
What you will need
- Go to each of your NPM monorepo packages and add a Trusted Publisher via the "Settings" (currently supported publishers are "GitHub Actions" and "GitLab CI/CD"
- Take a look at the "Publishing Access", it's recommended to set it to "Require two-factor authentication and disallow tokens"
- Repeat step 1 and 2 for all your monorepo packages (hopefully in the future, NPM will bring a global setup, but for now we have to change them one-by-one)
You can see a super basic demo at this link:
https://github.com/lerna-lite-test/oidc
This basic demo has the following configuration set as Trusted Publisher:
Basic Usage
If you already have a Release CI Workflow, then the change is super easy, you just need to get rid of any NPM Token and/or Provenance config and that's about it, you're now good to go with OIDC
# release.yml
...
- name: Lerna Version 🏷️
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
- NPM_CONFIG_PROVENANCE: true
Or if you want a full sample of a Release CI Workflow, then see below for a basic setup using pnpm, you can tweak it for other package managers.
.github/workflows/release.yml
name: 🏷️ Release to NPM
on:
workflow_dispatch:
permissions:
contents: write
id-token: write # required for OIDC
jobs:
deploy-npm-latest:
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- name: Clone repository
uses: actions/checkout@v5
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Install pnpm
uses: pnpm/action-setup@v3
with:
version: 10
run_install: false
- name: Set NodeJS
uses: actions/setup-node@v5
with:
registry-url: 'https://registry.npmjs.org/'
node-version: 24
cache: 'pnpm'
# OIDC requires npm v11.5.1 or later
# or simply use Node 24 to avoid running the next line
- run: npm install -g npm@latest
- run: node --version
- run: npm --version
- name: Run pnpm install dependencies
run: pnpm install
- name: Build Everything
run: pnpm build
- name: Lerna Version 🏷️
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
run: |
git config --global user.name "${{ github.actor }}"
git config --global user.email "${{ github.actor }}@users.noreply.github.com"
pnpm exec lerna version --yes
- name: Lerna Publish 📦
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
shell: bash
id: lerna-publish
continue-on-error: true
run: |
pnpm exec lerna publish from-package --force-publish --yes
Provenance will also be used by default (you don't even need to enable it, it comes as default).
Conclusion
With that in place, we are now successfully publishing with Provenance with Short Lived Token using Lerna-Lite which makes our toolchain much more secure. Following these steps, you should be able to do the same with your project as well.
Also note that you can also do the exact same steps with Lerna (the actual implementation actually came from Lerna, so credit goes to them).
See Lerna-Lite@4.9.0 release for more details.
Top comments (0)