§ BLOG
Field notes from the OIDC trenches.
Every post starts from a real GitHub Issue, an npm docs page, or a Sigstore changelog — and ends with the exact YAML or JSON change that fixed it.
Migrating from NPM_TOKEN to Trusted Publishing — the 5-Step Migration in a Weekend
A weekend-sized migration plan from long-lived NPM_TOKEN secrets to OIDC trusted publishing on npm. Five steps, each reversible until the last, with the rollback path if a publish fails.
Read the post
§ AT A GLANCE
- Intent
- WORKFLOW
- Keyword
- migrate NPM_TOKEN to trusted publishing
- Confidence
- high
- Sources
- 3 cited
§ ALL POSTS
- § CHECKLIST May 18, 2026
Pre-Publish Checklist for a New npm Package in 2026 (Security, Provenance, README)
A grounded pre-publish checklist for a new npm package in 2026: trusted publishing wired, provenance enabled, scoped access, files allowlist, README and license correct, and the search-and-tags that get you found.
kw: npm package pre-publish checklist 2026
- § CONCEPT May 17, 2026
Provenance Attestation, Sigstore, and SLSA Level 3: What They Mean for Indie Package Authors
What provenance attestation, Sigstore, and SLSA Level 3 actually buy you as a solo or small-team npm package author. Plain-language definitions, the verification chain, and what is still your responsibility.
kw: provenance attestation sigstore SLSA level 3
- § COMPARISON May 16, 2026
Trusted Publishing on JSR vs npm: a 2026 Comparison for Library Authors
Where JSR and npm trusted publishing agree, where they diverge, and how to publish the same TypeScript library to both with one workflow and two trusted publishers.
kw: JSR vs npm trusted publishing
- § TEMPLATE May 15, 2026
npm Trusted Publisher GitHub Actions Workflow Template (Copy-Paste, 2026)
A copy-paste GitHub Actions workflow for npm trusted publishing in 2026: id-token, registry-url, --provenance, --access public, and the comments explaining why each line is required.
kw: npm trusted publisher github actions workflow
- § RISK May 14, 2026
npm publish --provenance Failed: the 8 Most Common Reasons and How to Fix Each
The eight failure shapes we see across npm/cli and actions/runner issues when --provenance breaks: OIDC audience drift, Sigstore Fulcio errors, self-hosted runner rejections, and the package.json repository.url mismatch that takes the longest to find.
kw: npm publish --provenance failed
- § PROBLEM May 13, 2026
npm publish OIDC vs NPM_TOKEN: Why Long-Lived Tokens Are Getting Deprecated and What to Migrate To
Why npm is steering maintainers off long-lived NPM_TOKEN secrets toward OIDC trusted publishing, what the security difference actually is, and the exact migration path for a GitHub Actions repo.
kw: npm publish OIDC vs NPM_TOKEN
- § HOW-TO May 12, 2026
npm Trusted Publishing Setup for First-Time Maintainers (with the GitHub Actions YAML That Works)
A first-publish guide for npm trusted publishing (OIDC) on GitHub Actions. The exact permissions block, the registry-url that matters, and the three lines that bypass your trusted publisher silently.
kw: npm trusted publishing setup