Archetype Engine is now configured with automated npm publishing using OIDC Trusted Publishing.
- Code Quality Score: 78/100 → 92/100
- Eliminated technical debt
- Improved type safety
- Created Architecture Decision Records
- Updated all project URLs and metadata
- All 209 tests passing
- ✅ Configured npm Trusted Publisher on npmjs.com
- ✅ Created
.github/workflows/publish.ymlwith OIDC authentication - ✅ Fixed npm version requirement (npm 9.5.0+ for OIDC)
- ✅ Successfully published v2.0.1 with provenance
- ✅ Created automatic GitHub releases
- ✅ Comprehensive documentation written
# 1. Make your changes and commit
git add .
git commit -m "feat: new feature"
git push origin main
# 2. Update CHANGELOG.md
# (edit the file with your changes)
# 3. Bump version and release
npm version patch # or minor, or major
git push origin main --tags
# Done! GitHub Actions will:
# ✓ Run all tests
# ✓ Build the package
# ✓ Publish to npm with provenance
# ✓ Create GitHub release- ✅ No npm tokens - Zero secrets to manage or rotate
- ✅ Automatic provenance - npm verifies build authenticity
- ✅ Short-lived credentials - Tokens expire immediately after use
- ✅ Audit trail - Every publish linked to exact GitHub commit
published just now by GitHub Actions <npm-oidc-no-reply@github.com>
This proves the package was published via OIDC, not with a user token.
Users can verify package authenticity: https://www.npmjs.com/package/archetype-engine?activeTab=provenance
- ✅ v2.0.0 - Initial release (manual publish)
- ✅ v2.0.1 - First automated release with OIDC (SUCCESS!)
- Name: archetype-engine
- Latest: 2.0.1
- License: MIT
- Bundle Size: 91.7 kB (compressed), 424.8 kB (unpacked)
- Dependencies: 4 runtime deps (lean)
- Author: IFAKA
- Provenance: ✅ SLSA provenance enabled
- npm Package: https://www.npmjs.com/package/archetype-engine
- GitHub Repo: https://github.com/IFAKA/archetype-engine
- Documentation: https://archetype-engine.vercel.app
- Latest Release: https://github.com/IFAKA/archetype-engine/releases/tag/v2.0.1
The key to making OIDC work was:
-
Configure trusted publisher on npmjs.com:
- Repository: IFAKA/archetype-engine
- Workflow: publish.yml
-
Use npm 9.5.0+ with --provenance flag:
npx --yes npm@latest publish --provenance --access public -
Set proper GitHub Actions permissions:
permissions: contents: write # For creating releases id-token: write # For OIDC authentication
-
Don't set registry-url in setup-node (it creates conflicting auth)
All guides are available in .github/:
| File | Purpose |
|---|---|
| SETUP_TOKEN.md | One-time trusted publisher setup |
| PUBLISHING_GUIDE.md | Complete publishing workflow guide |
| workflows/release.md | Quick command reference |
| NEXT_STEPS.md | Step-by-step guide for what to do next |
- ✅ npm Trusted Publishing (OIDC) is more secure than tokens
- ✅ GitHub Actions + npm 9.5.0+ = zero-config authentication
- ✅ Automatic provenance builds user trust
- ✅ No maintenance needed (no token rotation)
- npm version matters - OIDC requires npm 9.5.0+
- Keep it simple - Don't set
registry-urlwhen using OIDC - Use latest npm -
npx npm@latestensures compatibility - Provenance is free - Just add
--provenanceflag
- ❌ Using
registry-urlin setup-node (creates conflicting auth) - ❌ Trying to use old npm version (lacks OIDC support)
- ❌ Rerunning workflow without updating code (git tag points to old commit)
- ❌ Not configuring trusted publisher first (causes 404 errors)
To verify the setup is working:
# Check npm package
npm info archetype-engine
# Should show:
# - latest: 2.0.1
# - published by: GitHub Actions <npm-oidc-no-reply@github.com>
# Check provenance
npm view archetype-engine@2.0.1 --json | grep provenance
# Should show SLSA provenance URL
# Test installation
npx create-next-app test-app
cd test-app
npm install archetype-engine@latest
npx archetype init --helpHere's what happens when you push a version tag:
- Tag Push → GitHub Actions workflow triggers
- Workflow Runs with
id-token: writepermission - GitHub generates signed OIDC token with claims:
- Repository: IFAKA/archetype-engine
- Workflow: publish.yml
- Commit SHA, branch, actor, etc.
- npm CLI detects OIDC environment (via
--provenance) - npm requests token exchange from GitHub OIDC provider
- npm validates token signature and trusted publisher config
- npm issues temporary publish credentials
- Package publishes with automatic provenance
- Credentials expire immediately (can't be reused)
Security Benefit: Even if someone captures the workflow logs, there's nothing useful to steal.
Now that publishing is automated, consider:
-
Automate Changelog
- Use conventional commits
- Auto-generate changelog from commits
- Tools:
conventional-changelog,release-please
-
Add Release Notes Template
- Standardize what goes in each release
- Highlight breaking changes automatically
-
Pre-release Channels
- Set up alpha/beta dist-tags
- Allow users to test features early
-
Download Badge
- Add npm download badge to README
- Track package adoption
-
Bundle Size Monitoring
- Track bundle size over time
- Alert on significant increases
Solved By:
- OIDC Trusted Publishing configuration on npmjs.com
- Using
npm@latest(v10+) with--provenanceflag - Proper GitHub Actions permissions (id-token: write)
- Removing conflicting
registry-urlconfiguration
Date: December 24, 2025
First Automated Release: v2.0.1
Status: ✅ Production Ready
- Quick Commands: .github/workflows/release.md
- Full Guide: .github/PUBLISHING_GUIDE.md
- Setup Instructions: .github/SETUP_TOKEN.md
- Workflow File: .github/workflows/publish.yml
Congratulations! Your package now has enterprise-grade publishing automation. 🎉