UNPKG

@semantic-release/npm/README.md

Version:

9.1 kBMarkdownView Raw

1# @semantic-release/npm
2
3[**semantic-release**](https://github.com/semantic-release/semantic-release) plugin to publish a [npm](https://www.npmjs.com) package.
4
5[![Build Status](https://github.com/semantic-release/npm/workflows/Test/badge.svg)](https://github.com/semantic-release/npm/actions?query=workflow%3ATest+branch%3Amaster) [![npm latest version](https://img.shields.io/npm/v/@semantic-release/npm/latest.svg)](https://www.npmjs.com/package/@semantic-release/npm)
6[![npm next version](https://img.shields.io/npm/v/@semantic-release/npm/next.svg)](https://www.npmjs.com/package/@semantic-release/npm)
7[![npm beta version](https://img.shields.io/npm/v/@semantic-release/npm/beta.svg)](https://www.npmjs.com/package/@semantic-release/npm)
8
9| Step               | Description                                                                                                                      |
10| ------------------ | -------------------------------------------------------------------------------------------------------------------------------- |
11| `verifyConditions` | Verify the presence of the `NPM_TOKEN` environment variable, or an `.npmrc` file, and verify the authentication method is valid. |
12| `prepare`          | Update the `package.json` version and [create](https://docs.npmjs.com/cli/pack) the npm package tarball.                         |
13| `addChannel`       | [Add a release to a dist-tag](https://docs.npmjs.com/cli/dist-tag).                                                              |
14| `publish`          | [Publish the npm package](https://docs.npmjs.com/cli/publish) to the registry.                                                   |
15
16## Install
17
18```bash
19$ npm install @semantic-release/npm -D
20```
21
22## Usage
23
24The plugin can be configured in the [**semantic-release** configuration file](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/configuration.md#configuration):
25
26```json
27{
28  "plugins": ["@semantic-release/commit-analyzer", "@semantic-release/release-notes-generator", "@semantic-release/npm"]
29}
30```
31
32## Configuration
33
34### npm registry authentication
35
36The npm [token](https://docs.npmjs.com/about-access-tokens) authentication configuration is **required** and can be set via [environment variables](#environment-variables).
37
38Automation tokens are recommended since they can be used for an automated workflow, even when your account is configured to use the [`auth-and-writes` level of 2FA](https://docs.npmjs.com/about-two-factor-authentication#authorization-and-writes).
39
40### npm provenance
41
42If you are publishing to the official registry and your pipeline is on a [provider that is supported by npm for provenance](https://docs.npmjs.com/generating-provenance-statements#provenance-limitations), npm can be configured to [publish with provenance](https://docs.npmjs.com/generating-provenance-statements).
43
44Since semantic-release wraps the npm publish command, configuring provenance is not exposed directly.
45Instead, provenance can be configured through the [other configuration options exposed by npm](https://docs.npmjs.com/generating-provenance-statements#using-third-party-package-publishing-tools).
46Provenance applies specifically to publishing, so our recommendation is to configure under `publishConfig` within the `package.json`.
47
48#### npm provenance on GitHub Actions
49
50For package provenance to be signed on the GitHub Actions CI the following permission is required
51to be enabled on the job:
52
53```yaml
54permissions:
55  id-token: write # to enable use of OIDC for npm provenance
56```
57
58It's worth noting that if you are using semantic-release to its fullest with a GitHub release, GitHub comments,
59and other features, then [more permissions are required](https://github.com/semantic-release/github#github-authentication) to be enabled on this job:
60
61```yaml
62permissions:
63  contents: write # to be able to publish a GitHub release
64  issues: write # to be able to comment on released issues
65  pull-requests: write # to be able to comment on released pull requests
66  id-token: write # to enable use of OIDC for npm provenance
67```
68
69Refer to the [GitHub Actions recipe for npm package provenance](https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions#.github-workflows-release.yml-configuration-for-node-projects) for the full CI job's YAML code example.
70
71### Environment variables
72
73| Variable    | Description                                                                                                                   |
74| ----------- | ----------------------------------------------------------------------------------------------------------------------------- |
75| `NPM_TOKEN` | Npm token created via [npm token create](https://docs.npmjs.com/getting-started/working_with_tokens#how-to-create-new-tokens) |
76
77### Options
78
79| Options      | Description                                                                                                        | Default                                                                                                                          |
80| ------------ | ------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- |
81| `npmPublish` | Whether to publish the `npm` package to the registry. If `false` the `package.json` version will still be updated. | `false` if the `package.json` [private](https://docs.npmjs.com/files/package.json#private) property is `true`, `true` otherwise. |
82| `pkgRoot`    | Directory path to publish.                                                                                         | `.`                                                                                                                              |
83| `tarballDir` | Directory path in which to write the package tarball. If `false` the tarball is not be kept on the file system.    | `false`                                                                                                                          |
84
85**Note**: The `pkgRoot` directory must contain a `package.json`. The version will be updated only in the `package.json` and `npm-shrinkwrap.json` within the `pkgRoot` directory.
86
87**Note**: If you use a [shareable configuration](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/shareable-configurations.md#shareable-configurations) that defines one of these options you can set it to `false` in your [**semantic-release** configuration](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/configuration.md#configuration) in order to use the default value.
88
89### npm configuration
90
91The plugin uses the [`npm` CLI](https://github.com/npm/cli) which will read the configuration from [`.npmrc`](https://docs.npmjs.com/files/npmrc). See [`npm config`](https://docs.npmjs.com/misc/config) for the option list.
92
93The [`registry`](https://docs.npmjs.com/misc/registry) can be configured via the npm environment variable `NPM_CONFIG_REGISTRY` and will take precedence over the configuration in `.npmrc`.
94
95The [`registry`](https://docs.npmjs.com/misc/registry) and [`dist-tag`](https://docs.npmjs.com/cli/dist-tag) can be configured under `publishConfig` in the `package.json`:
96
97```json
98{
99  "publishConfig": {
100    "registry": "https://registry.npmjs.org/",
101    "tag": "latest"
102  }
103}
104```
105
106**Notes**:
107
108- The presence of an `.npmrc` file will override any specified environment variables.
109- The presence of `registry` or `dist-tag` under `publishConfig` in the `package.json` will take precedence over the configuration in `.npmrc` and `NPM_CONFIG_REGISTRY`
110
111### Examples
112
113The `npmPublish` and `tarballDir` option can be used to skip the publishing to the `npm` registry and instead, release the package tarball with another plugin. For example with the [@semantic-release/github](https://github.com/semantic-release/github) plugin:
114
115```json
116{
117  "plugins": [
118    "@semantic-release/commit-analyzer",
119    "@semantic-release/release-notes-generator",
120    [
121      "@semantic-release/npm",
122      {
123        "npmPublish": false,
124        "tarballDir": "dist"
125      }
126    ],
127    [
128      "@semantic-release/github",
129      {
130        "assets": "dist/*.tgz"
131      }
132    ]
133  ]
134}
135```
136
137When publishing from a sub-directory with the `pkgRoot` option, the `package.json` and `npm-shrinkwrap.json` updated with the new version can be moved to another directory with a `postversion`. For example with the [@semantic-release/git](https://github.com/semantic-release/git) plugin:
138
139```json
140{
141  "plugins": [
142    "@semantic-release/commit-analyzer",
143    "@semantic-release/release-notes-generator",
144    [
145      "@semantic-release/npm",
146      {
147        "pkgRoot": "dist"
148      }
149    ],
150    [
151      "@semantic-release/git",
152      {
153        "assets": ["package.json", "npm-shrinkwrap.json"]
154      }
155    ]
156  ]
157}
158```
159
160```json
161{
162  "scripts": {
163    "postversion": "cp -r package.json .. && cp -r npm-shrinkwrap.json .."
164  }
165}
166```

1	`# @semantic-release/npm`
2
3	`[semantic-release](https://github.com/semantic-release/semantic-release) plugin to publish a [npm](https://www.npmjs.com) package.`
4
5	`[![Build Status](https://github.com/semantic-release/npm/workflows/Test/badge.svg)](https://github.com/semantic-release/npm/actions?query=workflow%3ATest+branch%3Amaster) [![npm latest version](https://img.shields.io/npm/v/@semantic-release/npm/latest.svg)](https://www.npmjs.com/package/@semantic-release/npm)`
6	`[![npm next version](https://img.shields.io/npm/v/@semantic-release/npm/next.svg)](https://www.npmjs.com/package/@semantic-release/npm)`
7	`[![npm beta version](https://img.shields.io/npm/v/@semantic-release/npm/beta.svg)](https://www.npmjs.com/package/@semantic-release/npm)`
8
9	`\| Step \| Description \|`
10	`\| ------------------ \| -------------------------------------------------------------------------------------------------------------------------------- \|`
11	\| `verifyConditions` \| Verify the presence of the `NPM_TOKEN` environment variable, or an `.npmrc` file, and verify the authentication method is valid. \|
12	\| `prepare` \| Update the `package.json` version and [create](https://docs.npmjs.com/cli/pack) the npm package tarball. \|
13	\| `addChannel` \| [Add a release to a dist-tag](https://docs.npmjs.com/cli/dist-tag). \|
14	\| `publish` \| [Publish the npm package](https://docs.npmjs.com/cli/publish) to the registry. \|
15
16	`## Install`
17
18	```bash
19	`$ npm install @semantic-release/npm -D`
20	```
21
22	`## Usage`
23
24	`The plugin can be configured in the [semantic-release configuration file](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/configuration.md#configuration):`
25
26	```json
27	`{`
28	`"plugins": ["@semantic-release/commit-analyzer", "@semantic-release/release-notes-generator", "@semantic-release/npm"]`
29	`}`
30	```
31
32	`## Configuration`
33
34	`### npm registry authentication`
35
36	`The npm [token](https://docs.npmjs.com/about-access-tokens) authentication configuration is required and can be set via [environment variables](#environment-variables).`
37
38	Automation tokens are recommended since they can be used for an automated workflow, even when your account is configured to use the [`auth-and-writes` level of 2FA](https://docs.npmjs.com/about-two-factor-authentication#authorization-and-writes).
39
40	`### npm provenance`
41
42	`If you are publishing to the official registry and your pipeline is on a [provider that is supported by npm for provenance](https://docs.npmjs.com/generating-provenance-statements#provenance-limitations), npm can be configured to [publish with provenance](https://docs.npmjs.com/generating-provenance-statements).`
43
44	`Since semantic-release wraps the npm publish command, configuring provenance is not exposed directly.`
45	`Instead, provenance can be configured through the [other configuration options exposed by npm](https://docs.npmjs.com/generating-provenance-statements#using-third-party-package-publishing-tools).`
46	Provenance applies specifically to publishing, so our recommendation is to configure under `publishConfig` within the `package.json`.
47
48	`#### npm provenance on GitHub Actions`
49
50	`For package provenance to be signed on the GitHub Actions CI the following permission is required`
51	`to be enabled on the job:`
52
53	```yaml
54	`permissions:`
55	`id-token: write # to enable use of OIDC for npm provenance`
56	```
57
58	`It's worth noting that if you are using semantic-release to its fullest with a GitHub release, GitHub comments,`
59	`and other features, then [more permissions are required](https://github.com/semantic-release/github#github-authentication) to be enabled on this job:`
60
61	```yaml
62	`permissions:`
63	`contents: write # to be able to publish a GitHub release`
64	`issues: write # to be able to comment on released issues`
65	`pull-requests: write # to be able to comment on released pull requests`
66	`id-token: write # to enable use of OIDC for npm provenance`
67	```
68
69	`Refer to the [GitHub Actions recipe for npm package provenance](https://semantic-release.gitbook.io/semantic-release/recipes/ci-configurations/github-actions#.github-workflows-release.yml-configuration-for-node-projects) for the full CI job's YAML code example.`
70
71	`### Environment variables`
72
73	`\| Variable \| Description \|`
74	`\| ----------- \| ----------------------------------------------------------------------------------------------------------------------------- \|`
75	\| `NPM_TOKEN` \| Npm token created via [npm token create](https://docs.npmjs.com/getting-started/working_with_tokens#how-to-create-new-tokens) \|
76
77	`### Options`
78
79	`\| Options \| Description \| Default \|`
80	`\| ------------ \| ------------------------------------------------------------------------------------------------------------------ \| -------------------------------------------------------------------------------------------------------------------------------- \|`
81	\| `npmPublish` \| Whether to publish the `npm` package to the registry. If `false` the `package.json` version will still be updated. \| `false` if the `package.json` [private](https://docs.npmjs.com/files/package.json#private) property is `true`, `true` otherwise. \|
82	\| `pkgRoot` \| Directory path to publish. \| `.` \|
83	\| `tarballDir` \| Directory path in which to write the package tarball. If `false` the tarball is not be kept on the file system. \| `false` \|
84
85	Note: The `pkgRoot` directory must contain a `package.json`. The version will be updated only in the `package.json` and `npm-shrinkwrap.json` within the `pkgRoot` directory.
86
87	Note: If you use a [shareable configuration](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/shareable-configurations.md#shareable-configurations) that defines one of these options you can set it to `false` in your [semantic-release configuration](https://github.com/semantic-release/semantic-release/blob/master/docs/usage/configuration.md#configuration) in order to use the default value.
88
89	`### npm configuration`
90
91	The plugin uses the [`npm` CLI](https://github.com/npm/cli) which will read the configuration from [`.npmrc`](https://docs.npmjs.com/files/npmrc). See [`npm config`](https://docs.npmjs.com/misc/config) for the option list.
92
93	The [`registry`](https://docs.npmjs.com/misc/registry) can be configured via the npm environment variable `NPM_CONFIG_REGISTRY` and will take precedence over the configuration in `.npmrc`.
94
95	The [`registry`](https://docs.npmjs.com/misc/registry) and [`dist-tag`](https://docs.npmjs.com/cli/dist-tag) can be configured under `publishConfig` in the `package.json`:
96
97	```json
98	`{`
99	`"publishConfig": {`
100	`"registry": "https://registry.npmjs.org/",`
101	`"tag": "latest"`
102	`}`
103	`}`
104	```
105
106	`Notes:`
107
108	- The presence of an `.npmrc` file will override any specified environment variables.
109	- The presence of `registry` or `dist-tag` under `publishConfig` in the `package.json` will take precedence over the configuration in `.npmrc` and `NPM_CONFIG_REGISTRY`
110
111	`### Examples`
112
113	The `npmPublish` and `tarballDir` option can be used to skip the publishing to the `npm` registry and instead, release the package tarball with another plugin. For example with the [@semantic-release/github](https://github.com/semantic-release/github) plugin:
114
115	```json
116	`{`
117	`"plugins": [`
118	`"@semantic-release/commit-analyzer",`
119	`"@semantic-release/release-notes-generator",`
120	`[`
121	`"@semantic-release/npm",`
122	`{`
123	`"npmPublish": false,`
124	`"tarballDir": "dist"`
125	`}`
126	`],`
127	`[`
128	`"@semantic-release/github",`
129	`{`
130	`"assets": "dist/*.tgz"`
131	`}`
132	`]`
133	`]`
134	`}`
135	```
136
137	When publishing from a sub-directory with the `pkgRoot` option, the `package.json` and `npm-shrinkwrap.json` updated with the new version can be moved to another directory with a `postversion`. For example with the [@semantic-release/git](https://github.com/semantic-release/git) plugin:
138
139	```json
140	`{`
141	`"plugins": [`
142	`"@semantic-release/commit-analyzer",`
143	`"@semantic-release/release-notes-generator",`
144	`[`
145	`"@semantic-release/npm",`
146	`{`
147	`"pkgRoot": "dist"`
148	`}`
149	`],`
150	`[`
151	`"@semantic-release/git",`
152	`{`
153	`"assets": ["package.json", "npm-shrinkwrap.json"]`
154	`}`
155	`]`
156	`]`
157	`}`
158	```
159
160	```json
161	`{`
162	`"scripts": {`
163	`"postversion": "cp -r package.json .. && cp -r npm-shrinkwrap.json .."`
164	`}`
165	`}`
166	```