The 14-row npm trusted publishing preflight.

§ ARTIFACT · runs in your browser

npm Trusted Publishing Preflight Checklist

Paste your package.json and your GitHub Actions publish workflow. Fourteen checks run locally in your browser. No file leaves this page.

LOAD EXAMPLE

1. 01

   package.json has a name field

2. 02

   package.json has a version field

3. 03

   package.json#repository.url matches GitHub repo

4. 04

   package.json has publishConfig.access = "public" (for scoped packages)

5. 05

   package.json has a "files" allowlist or .npmignore

6. 06

   Workflow grants id-token: write

7. 07

   Workflow grants contents: read (or write if you tag)

8. 08

   Workflow uses actions/setup-node@v4 (or newer)

9. 09

   setup-node sets registry-url: https://registry.npmjs.org

10. 10

    npm publish uses --provenance

11. 11

    Workflow does NOT export NPM_TOKEN or set //registry.npmjs.org/:_authToken

12. 12

    Workflow runs npm publish (not yarn/pnpm publish)

13. 13

    Workflow runs on a release/tag event (not arbitrary push)

14. 14

    Workflow runner is a documented GitHub-hosted runner (ubuntu-latest, ubuntu-24.04, etc.)

The checklist is a static scan. It cannot verify the npm registry's trusted-publisher binding — that step is a manual page check on npmjs.com → your package → Settings → Trusted Publishers. The remaining 14 checks are what we can see from your files.