sanity-io · stipsan · Mar 6, 2026 · Mar 4, 2026 · Mar 4, 2026 · Mar 5, 2026
@@ -4,7 +4,7 @@ on:
   workflow_dispatch:
     inputs:
       package:
-        description: 'The package name name, for example @sanity/foo-bar'
+        description: 'The package name, for example @sanity/foo-bar'
         required: true
 
 permissions:
@@ -18,3 +18,11 @@ jobs:
       - uses: ./.github/actions/setup
       - run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_PUBLISH_TOKEN }}" > ~/.npmrc
       - run: pnpm setup-npm-trusted-publish ${{ inputs.package }}
+      - name: Configure trusted publishing
+        run: |
+          echo "📦 Package ${{ inputs.package }} has been created on npm."
+          echo ""
+          echo "Next, configure trusted publishing by running locally (requires npm >= 11.10.0):"
+          echo ""
+          echo "  npm trust github ${{ inputs.package }} --file=release.yml --repository=sanity-io/plugins"
+          echo ""
@@ -315,17 +315,12 @@ See [CONTRIBUTING.md](./CONTRIBUTING.md) for detailed instructions on:
 **For brand new packages (not yet on npm):**
 
 - Use the "Setup a new npm package with Trusted Publishing" GitHub Actions workflow
-- The workflow will create the package and provide setup instructions
+- Then run locally: `npm trust github <package-name> --file=release.yml --repository=sanity-io/plugins` (requires npm >= 11.10.0)
 
 **For existing packages (already on npm):**
 
 - ⚠️ DO NOT use the setup workflow
-- Manually configure trusted publishing at: `https://www.npmjs.com/package/PACKAGE-NAME/access`
-- Add GitHub Actions as trusted publisher with:
-  - Owner: `sanity-io`
-  - Repository: `plugins`
-  - Workflow: `release.yml`
-  - Environment: _(leave empty)_
+- Run: `npm trust github <package-name> --file=release.yml --repository=sanity-io/plugins` (requires npm >= 11.10.0)
 
 ## Code Style
 

@@ -152,29 +152,30 @@ If you're creating a package that has never been published to npm before:
 2. Find the **"Setup a new npm package with Trusted Publishing"** workflow
 3. Click **"Run workflow"**
 4. Enter the package name (e.g., `@sanity/my-new-plugin` or `sanity-plugin-my-feature`)
-5. The workflow will create the package on npm and output instructions for configuring trusted publishing
+5. Click **"Run workflow"** — the workflow will create the package on npm
 
-After the workflow completes, go to the package settings on npm and configure trusted publishing with these values:
+Then, configure trusted publishing by running locally (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)):
 
-| Setting       | Value           |
-| ------------- | --------------- |
-| Organization  | `sanity-io`     |
-| Repository    | `plugins`       |
-| Workflow name | `release.yml`   |
-| Environment   | _(leave blank)_ |
-
-Under token settings, configure:
-
-- **Require 2FA** for publishing
-- **Disallow tokens** (granular and automation tokens)
+```bash
+npm trust github <package-name> --file=release.yml --repository=sanity-io/plugins
+```
 
 This sets up [OIDC-based trusted publishing](https://docs.npmjs.com/generating-provenance-statements) so the release workflow can publish packages without storing npm tokens.
 
 #### For Existing Packages (Already on npm)
 
 ⚠️ **Do NOT use the "Setup a new npm package with Trusted Publishing" workflow for existing packages!** That workflow is only for brand new packages that don't have an npm settings page yet.
 
-For packages that are already published to npm, manually configure trusted publishing:
+For packages that are already published to npm, configure trusted publishing using the npm CLI (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)):
+
+```bash
+npm trust github <package-name> --file=release.yml --repository=sanity-io/plugins
+```
+
+<details>
+<summary>Alternative: Configure via npm website</summary>
+
+If you don't have npm >= 11.10.0, you can configure trusted publishing manually:
 
 1. Go to your package's access settings page: `https://www.npmjs.com/package/YOUR-PACKAGE-NAME/access`
 2. Under **"Publishing access"**, click **"Add a trusted publisher"** and select **"GitHub Actions"**
@@ -188,9 +189,8 @@ For packages that are already published to npm, manually configure trusted publi
 | **Environment name** | _(leave empty)_ |
 
 4. Click **"Add trusted publisher"**
-5. Under **"Token settings"**, ensure:
-   - ✅ **Require 2FA** for publishing is enabled
-   - ✅ **Disallow tokens** (both granular and automation tokens)
+
+</details>
 
 ### 2. Init the plugin workspace
 
@@ -226,7 +226,13 @@ Commit the changeset file with your PR.
 
 ### 1. Set Up Trusted Publishing
 
-Since the plugin is already published to npm, you need to manually configure trusted publishing. See [For Existing Packages](#for-existing-packages-already-on-npm) above for detailed instructions.
+Since the plugin is already published to npm, configure trusted publishing using the npm CLI (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)):
+
+```bash
+npm trust github <package-name> --file=release.yml --repository=sanity-io/plugins
+```
+
+See [For Existing Packages](#for-existing-packages-already-on-npm) above for alternative manual instructions.
 
 ### 2. Init the plugin workspace
 

@@ -50,16 +50,11 @@ First, create the package on npm by running the setup-trusted-publish workflow:
 2. Click "Run workflow"
 3. Enter "${name}" in "The package name"
 4. Click "Run workflow" in the popover
-5. Wait for the workflow to complete - this creates the initial package on npm
+5. Wait for the workflow to complete
 
-Then, configure trusted publishing so releases can be automated:
+Then, configure trusted publishing by running locally (requires npm >= 11.10.0):
 
-6. Open https://www.npmjs.com/package/${name}/access
-7. Under "Trusted Publisher", click "GitHub Actions"
-8. In "Organization or user", enter: sanity-io
-9. In "Repository", enter: plugins
-10. In "Workflow filename", enter: release.yml
-11. Click "Set up connection"
+  npm trust github ${name} --file=release.yml --repository=sanity-io/plugins
 
 After completing these steps, run this generator again.
 `

@@ -12,15 +12,22 @@ This plugin was scaffolded using `pnpm generate "copy plugin"`.
 
 ⚠️ **If trusted publishing is not configured correctly, the plugin will fail to publish from this monorepo.**
 
-Go to the npm package access settings:
+Run this command locally (requires [npm >= 11.10.0](https://docs.npmjs.com/cli/v11/commands/npm-trust)):
 
-**https://www.npmjs.com/package/{{ name }}/access**
+```bash
+npm trust github {{ name }} --file=release.yml --repository=sanity-io/plugins
+```
+
+This sets up OIDC-based trusted publishing so the GitHub Actions release workflow can publish this package without storing npm tokens.
 
-### Configure GitHub Actions as Trusted Publisher
+<details>
+<summary>Alternative: Configure via npm website</summary>
 
-Under **"Publishing access"**, click **"Add a trusted publisher"** and select **"GitHub Actions"**.
+If you don't have npm >= 11.10.0, you can configure trusted publishing manually:
 
-Fill in the fields **exactly** as shown:
+1. Go to **https://www.npmjs.com/package/{{ name }}/access**
+2. Under **"Publishing access"**, click **"Add a trusted publisher"** and select **"GitHub Actions"**
+3. Fill in the fields:
 
 | Setting              | Value         |
 | -------------------- | ------------- |
@@ -29,16 +36,9 @@ Fill in the fields **exactly** as shown:
 | **Workflow**         | `release.yml` |
 | **Environment name** | _(leave empty)_ |
 
-Click **"Add trusted publisher"**.
-
-### Configure Token Settings
-
-Under **"Token settings"**, ensure:
-
-- ✅ **Require 2FA** for publishing is enabled
-- ✅ **Disallow tokens** (both granular and automation tokens)
+4. Click **"Add trusted publisher"**
 
-This ensures only the GitHub Actions release workflow can publish this package using OIDC-based trusted publishing.
+</details>
 
 ## 2. Update package.json Dependencies