From abdf20acf3f6daa285bf4487b1bcb42ddcd88dd5 Mon Sep 17 00:00:00 2001 From: mohitagw15856 <119053560+mohitagw15856@users.noreply.github.com> Date: Wed, 17 Jun 2026 15:22:04 +0100 Subject: [PATCH] Automated npm publish via GitHub Actions (#30) Lets the package ship to npm without a local npm install: publish a GitHub Release and CI runs `npm publish` using an NPM_TOKEN repo secret. - .github/workflows/npm-publish.yml: triggers on release published (and manual dispatch), verifies the release tag matches package.json version, then publishes with provenance (id-token: write) to the public registry. One-time setup by the maintainer: create an npm Automation token and add it as the NPM_TOKEN repository secret. Documented in the workflow header. Claude-Session: https://claude.ai/code/session_016JWn5jRD5tcEFKrubjQ6Px Co-authored-by: Claude --- .github/workflows/npm-publish.yml | 50 +++++++++++++++++++++++++++++++ CHANGELOG.md | 5 +++- 2 files changed, 54 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/npm-publish.yml diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml new file mode 100644 index 0000000..3a8afc4 --- /dev/null +++ b/.github/workflows/npm-publish.yml @@ -0,0 +1,50 @@ +name: Publish to npm + +# Publishes the package to npm when you publish a GitHub Release (or run this +# workflow manually). No local npm needed — set one repo secret, NPM_TOKEN, and +# every release ships `npx pm-claude-skills` to the world. +# +# One-time setup: +# 1. Create a free npm account at https://www.npmjs.com/signup +# 2. Profile -> Access Tokens -> Generate New Token -> "Automation" +# 3. In this repo: Settings -> Secrets and variables -> Actions -> New repository +# secret named NPM_TOKEN with that token. +# Then: publish a GitHub Release tagged vX.Y.Z (matching package.json version). + +on: + release: + types: [published] + workflow_dispatch: + +permissions: + contents: read + id-token: write # enables npm provenance (a verified "published from this repo" badge) + +jobs: + publish: + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up Node + uses: actions/setup-node@v4 + with: + node-version: '20' + registry-url: 'https://registry.npmjs.org' + + - name: Verify release tag matches package.json version + if: github.event_name == 'release' + run: | + TAG="${GITHUB_REF_NAME#v}" + PKG="$(node -p "require('./package.json').version")" + echo "release tag: $TAG | package.json: $PKG" + if [ "$TAG" != "$PKG" ]; then + echo "::error::Release tag ($TAG) does not match package.json version ($PKG). Bump package.json or fix the tag." + exit 1 + fi + + - name: Publish to npm (public, with provenance) + run: npm publish --provenance --access public + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/CHANGELOG.md b/CHANGELOG.md index d0e4e38..cc8c136 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -9,7 +9,10 @@ each new wave of skills bumps the **major** version, extensions and fixes bump ## [Unreleased] -_Nothing yet._ +### Added +- **Automated npm publishing** — `.github/workflows/npm-publish.yml` publishes the package + to npm (with provenance) when a GitHub Release is published. Requires a one-time + `NPM_TOKEN` repo secret; no local npm needed. ## [17.0.0] — Agents, Commands & the npx CLI — 2026-06-17