diff --git a/.github/actions/set-npm-token/action.yml b/.github/actions/set-npm-token/action.yml
new file mode 100644
index 0000000..4ba21b6
--- /dev/null
+++ b/.github/actions/set-npm-token/action.yml
@@ -0,0 +1,10 @@
+# https://docs.github.com/en/actions/creating-actions/metadata-syntax-for-github-actions
+name: 'Set npm token'
+description: 'This action sets a publish npm token (from an env var) in the .npmrc config file to be able to publish.'
+inputs:
+    npm-token:
+        description: 'npm publish token'
+        required: true
+runs:
+    using: 'node16'
+    main: 'main.js'
diff --git a/.github/actions/set-npm-token/main.js b/.github/actions/set-npm-token/main.js
new file mode 100644
index 0000000..39075bb
--- /dev/null
+++ b/.github/actions/set-npm-token/main.js
@@ -0,0 +1,24 @@
+const core = require('@actions/core');
+const fs = require('fs');
+const path = require('path');
+
+const main = async () => {
+    const token = core.getInput('npm-token') || process.env.NPM_TOKEN;
+    if (!token) {
+        throw new Error('NPM_TOKEN env var not set');
+    }
+
+    const lines = [
+        // set npm auth token with publish permission from environment
+        `//registry.npmjs.org/:_authToken=${token}`,
+
+        // this allows to execute npm lifecycle scripts by root
+        'unsafe-perm = true',
+    ];
+
+    fs.writeFileSync(path.join(__dirname, '..', '..', '..', '.npmrc'), lines.join('\n'));
+};
+
+main().catch((error) => {
+    core.setFailed(error.message);
+});