This document explains how to publish @BuildCanada/bcds to the npm registry using trusted publishing (OIDC/provenance).
- npm Account: You need an npm account with publish access to the
@buildcanadascope - Link GitHub to npm: Configure trusted publishing on npm
Trusted publishing uses GitHub's OIDC provider to authenticate with npm without storing tokens. This is more secure than using access tokens.
- Go to npmjs.com and log in
- Navigate to your package settings (or create the package first with
npm publish --access publiclocally) - Go to the package's "Settings" tab
- Scroll to "Publishing access"
- Click "Link repository" or "Add new repository"
- Enter your GitHub repository:
BuildCanada/bcds(or your actual repo) - Save the settings
If you want to restrict publishing to a specific GitHub environment:
- In npm package settings, under "Publishing access", specify an environment name (e.g.,
production) - In your GitHub repo, go to Settings → Environments → New environment
- Create an environment with the same name
- Add protection rules (e.g., required reviewers)
-
Update the version in
package.json:npm version patch # or minor, major -
Push the changes and tags:
git push && git push --tags -
Create a GitHub Release:
- Go to the repository on GitHub
- Click "Releases" → "Create a new release"
- Select the tag you just created
- Add release notes
- Click "Publish release"
The workflow will automatically run and publish to npm with provenance.
- Go to the repository on GitHub
- Click "Actions" → "Publish to npm"
- Click "Run workflow"
- Optionally enable "dry-run" to test without publishing
- Click "Run workflow"
To test the publishing process without actually publishing:
- Use the manual trigger with "dry-run" enabled, OR
- Run locally:
npm pack --dry-run npm publish --access public --dry-run
Follow semantic versioning:
- patch (0.1.0 → 0.1.1): Bug fixes, documentation updates
- minor (0.1.0 → 0.2.0): New features, backward compatible
- major (0.1.0 → 1.0.0): Breaking changes
# Bump version
npm version patch # 0.1.0 → 0.1.1
npm version minor # 0.1.0 → 0.2.0
npm version major # 0.1.0 → 1.0.0
# Or set specific version
npm version 1.0.0The following files are included in the published package:
src/- All source files (TypeScript, SCSS)README.md- Package documentationLICENSE.md- License filepackage.json- Package metadata
Excluded from the package:
- Test files (
*.test.ts,*.test.tsx) - Storybook stories (
*.stories.tsx) .storybook/directorydocs/directorynode_modules/- Build artifacts
Published packages include provenance attestation, which:
- Proves the package was built from the linked GitHub repository
- Shows the exact commit and workflow that produced the package
- Appears as a "Provenance" badge on npmjs.com
- Ensure
id-token: writepermission is set in the workflow - Verify the repository is linked in npm package settings
- Check that the package name matches exactly
- Verify your npm account has access to the
@buildcanadascope - Ensure the GitHub repository is linked in npm package settings
- Check that trusted publishing is configured correctly
The package @BuildCanada/bcds may already exist. Either:
- Get publish access to the existing package
- Change the package name in
package.json
Bump the version in package.json before publishing:
npm version patchFor the initial publish (before trusted publishing can be configured):
-
Log in to npm locally:
npm login
-
Publish the first version:
npm publish --access public
-
Then configure trusted publishing in npm settings as described above