Let’s cut to the chase — your CI isn’t actually authenticating you before npm publish, so npm falls back to “you’re not logged in.”
Use actions/setup-node’s built-in auth
Let the action write your token into ~/.npmrc (and skip committing your own). You do this by setting the scope, registry-url and passing your NODE_AUTH_TOKEN at the job level so it’s available during setup.
Remove (or ignore) your repo-level .npmrc
A rogue, un-templated .npmrc in your repo can override the one setup-node creates.
Verify with npm whoami
Add a quick check right before publish to prove you’re authenticated.
name: Publish to NPM
on:
workflow_run:
workflows: ["Reversion"]
types: [completed]
jobs:
publish:
runs-on: ubuntu-latest
# make the token available to ALL steps (including setup-node)
env:
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
steps:
- uses: actions/checkout@v3
- name: Setup Node.js & auth
uses: actions/setup-node@v4
with:
node-version: '18.x'
registry-url: 'https://registry.npmjs.org'
scope: '@dev-dae' # <-- your package scope
always-auth: true # <-- ensure scoped packages always use auth
- name: Install dependencies
run: npm ci
- name: Verify npm login
run: npm whoami
# if this prints your npm username, auth is working
# - name: Build package
# run: npm run build
- name: Publish to npm
run: npm publish --access public
scope + registry-url tells setup-node to write an @dev-dae:registry=… stanza into ~/.npmrc. always-auth: true forces all requests (including scoped publishes) to use the token. By exporting NODE_AUTH_TOKEN at the job level, setup-node picks it up automatically — no manual echo or custom .npmrc required. The npm whoami step is your smoke test: if it errors, you know something’s still wrong with the token or scope.
If you ever do see a downvote, I’ll flag it with you constructively — no silent punishments here. Let’s focus on getting your pipeline green.