@jsdevtools/npm-publish 4.1.0 → 4.1.2

package/README.md

@@ -32,16 +32,14 @@ jobs:
       contents: read
       id-token: write
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"
       - run: npm ci
       - run: npm test
-      - run: npm publish --provenance --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --ignore-scripts
 ```
 
 See GitHub's [Node.js publishing][] guide and npm's [trusted publishing][] docs for more details and examples.
@@ -78,7 +76,7 @@ This package can be used three different ways:
 
 ## GitHub Action
 
-To use the GitHub Action, you'll need to add it as a step in your [workflow file][]. By default, the only thing you need to do is set the `token` parameter to your [npm authentication token][].
+To use the GitHub Action, you'll need to add it as a step in your [workflow file][]. By default, the only thing you need to do is set `permissions.id-token` to `write` to enable [trusted publishing][] via OIDC.
 
 ```yaml
 on:
@@ -88,41 +86,27 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version: "24"
       - run: npm ci
       - run: npm test
       - uses: JS-DevTools/npm-publish@v4
-        with:
-          token: ${{ secrets.NPM_TOKEN }}
 ```
 
-If you have [trusted publishing][] configured for your package and use `npm@>=11.5.1`, you can omit the `token` input and use OIDC instead.
-
 > [!IMPORTANT]
-> If you're publishing a private package, you will still need to provide a read-only `token` so the action can read existing versions from the registry before publish.
-
-```diff
-  jobs:
-    publish:
-      runs-on: ubuntu-latest
-+     permissions:
-+       contents: read
-+       id-token: write  # required to use OIDC
-      steps:
-        - uses: actions/checkout@v5
-        - uses: actions/setup-node@v5
-          with:
-            node-version: "24"  # includes npm@11.6.0
-        - run: npm ci
-        - run: npm test
-        - uses: JS-DevTools/npm-publish@v4
--         with:
--           token: ${{ secrets.NPM_TOKEN }}
-```
+> If you're publishing a private package with [trusted publishing][], you will still need to provide a read-only [`token`][npm authentication token] so the action can read existing versions from the registry before publish.
+>
+> ```diff
+>   - uses: JS-DevTools/npm-publish@v4
+> +   with:
+> +     token: ${{ secrets.NPM_TOKEN }}
+> ```
 
 You can also publish to third-party registries. For example, to publish to the [GitHub Package Registry][], set `token` to `secrets.GITHUB_TOKEN` and `registry` to `https://npm.pkg.github.com`:
 
@@ -138,8 +122,8 @@ jobs:
       contents: read
       packages: write # allow GITHUB_TOKEN to publish packages
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v5
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version: "24"
       - run: npm ci
@@ -161,7 +145,7 @@ You can set any or all of the following input parameters using `with`:
 
 | Name             | Type                   | Default                       | Description                                                                      |
 | ---------------- | ---------------------- | ----------------------------- | -------------------------------------------------------------------------------- |
-| `token`          | string                 | unspecified                   | Registry authentication token, not required if using [trusted publishing][]³     |
+| `token`          | string                 | None                          | Registry authentication token, not required if using [trusted publishing][]³     |
 | `registry`¹      | string                 | `https://registry.npmjs.org/` | Registry URL to use.                                                             |
 | `package`        | string                 | Current working directory     | Path to a package directory, a `package.json`, or a packed `.tgz` to publish.    |
 | `tag`¹           | string                 | `latest`                      | [Distribution tag][npm-tag] to publish to.                                       |
@@ -187,8 +171,6 @@ npm-publish exposes several output variables, which you can use in later steps o
   steps:
     - uses: JS-DevTools/npm-publish@v4
 +     id: publish
-      with:
-        token: ${{ secrets.NPM_TOKEN }}
 
 +   - if: ${{ steps.publish.outputs.type }}
 +     run: echo "Version changed!"
@@ -237,7 +219,7 @@ import type { Options } from "@jsdevtools/npm-publish";
 
 | Name                 | Type                   | Default                       | Description                                                                      |
 | -------------------- | ---------------------- | ----------------------------- | -------------------------------------------------------------------------------- |
-| `token`              | string                 | **required**                  | Registry authentication token, not required if using [trusted publishing][]³     |
+| `token`              | string                 | None                          | Registry authentication token, not required if using [trusted publishing][]³     |
 | `registry`¹          | string, `URL`          | `https://registry.npmjs.org/` | Registry URL to use.                                                             |
 | `package`            | string                 | Current working directory     | Path to a package directory, a `package.json`, or a packed `.tgz` to publish.    |
 | `tag`¹               | string                 | `latest`                      | [Distribution tag][npm-tag] to publish to.                                       |
@@ -246,7 +228,7 @@ import type { Options } from "@jsdevtools/npm-publish";
 | `strategy`           | `all`, `upgrade`       | `all`                         | Use `all` to publish all unique versions, `upgrade` for only semver upgrades.    |
 | `ignoreScripts`      | boolean                | `true`                        | Run `npm publish` with the `--ignore-scripts` flag as a security precaution.     |
 | `dryRun`             | boolean                | `false`                       | Run `npm publish` with the `--dry-run` flag to prevent publication.              |
-| `logger`             | object                 | `undefined`                   | Logging interface with `debug`, `info`, and `error` log methods.                 |
+| `logger`             | object                 | None                          | Logging interface with `debug`, `info`, and `error` log methods.                 |
 | `temporaryDirectory` | string                 | `os.tmpdir()`                 | Temporary directory to hold a generated `.npmrc` file                            |
 
 1. May be specified using `publishConfig` in `package.json`.
@@ -395,7 +377,7 @@ The `check-version` and `greater-version-only` boolean options were replaced wit
 `check-version: false` has been removed. If you only need to publish, without first checking whether the version exists in the registry, you can [use `npm` directly][publishing-nodejs-packages] instead:
 
 ```diff
-  - uses: actions/setup-node@v5
+  - uses: actions/setup-node@v6
     with:
       node-version: '24'
 +     registry-url: https://registry.npmjs.org/
@@ -447,7 +429,7 @@ If you can't change your build, you can set the `ignore-scripts` input to `false
 The global `.npmrc` file is no longer read nor modified. This means the `token` option is now required for the library and CLI. (It was already required for the action.) You may have workarounds in place referencing `INPUT_TOKEN`, which v1 [erroneously wrote][#15] to `.npmrc`. These workarounds should be removed.
 
 ```diff
-  - uses: actions/setup-node@v5
+  - uses: actions/setup-node@v6
     with:
       node-version: '24'
       registry-url: https://registry.npmjs.org/

package/lib/action/core.d.ts

@@ -1,5 +1,5 @@
 import type { Logger } from "../options.js";
-/** Logger using the methods from @actions/core. */
+/** Logger using the methods from `@actions/core`. */
 export declare const logger: Logger;
 /**
  * Get input by name.

package/lib/action/core.js

@@ -1,6 +1,6 @@
-/** Wrapper module for @actions/core */
+/** Wrapper module for `@actions/core` */
 import { debug as ghLogDebug, error as ghLogError, getInput as ghGetInput, info as ghLogInfo, setFailed as ghSetFailed, setOutput as ghSetOutput, setSecret as ghSetSecret, } from "@actions/core";
-/** Logger using the methods from @actions/core. */
+/** Logger using the methods from `@actions/core`. */
 export const logger = {
     debug: ghLogDebug,
     info: ghLogInfo,

package/lib/action/core.js.map

@@ -1 +1 @@
-{"version":3,"file":"core.js","sourceRoot":"","sources":["../../src/action/core.ts"],"names":[],"mappings":"AAAA,uCAAuC;AACvC,OAAO,EACL,KAAK,IAAI,UAAU,EACnB,KAAK,IAAI,UAAU,EACnB,QAAQ,IAAI,UAAU,EACtB,IAAI,IAAI,SAAS,EACjB,SAAS,IAAI,WAAW,EACxB,SAAS,IAAI,WAAW,EACxB,SAAS,IAAI,WAAW,GACzB,MAAM,eAAe,CAAC;AAIvB,mDAAmD;AACnD,MAAM,CAAC,MAAM,MAAM,GAAW;IAC5B,KAAK,EAAE,UAAU;IACjB,IAAI,EAAE,SAAS;IACf,KAAK,EAAE,UAAU;CAClB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;AAC1D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,WAAW,EAAE,CAAC;QAChB,WAAW,CAAC,WAAW,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAEnD,IAAI,WAAW,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,WAAW,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,KAAc;IACtC,WAAW,CAAC,KAAc,CAAC,CAAC;AAC9B,CAAC;AAuBD,MAAM,UAAU,SAAS,CACvB,IAAY,EACZ,KAAmC,EACnC,YAA+B;IAE/B,WAAW,CAAC,IAAI,EAAE,KAAK,IAAI,YAAY,CAAC,CAAC;AAC3C,CAAC"}
+{"version":3,"file":"core.js","sourceRoot":"","sources":["../../src/action/core.ts"],"names":[],"mappings":"AAAA,yCAAyC;AACzC,OAAO,EACL,KAAK,IAAI,UAAU,EACnB,KAAK,IAAI,UAAU,EACnB,QAAQ,IAAI,UAAU,EACtB,IAAI,IAAI,SAAS,EACjB,SAAS,IAAI,WAAW,EACxB,SAAS,IAAI,WAAW,EACxB,SAAS,IAAI,WAAW,GACzB,MAAM,eAAe,CAAC;AAIvB,qDAAqD;AACrD,MAAM,CAAC,MAAM,MAAM,GAAW;IAC5B,KAAK,EAAE,UAAU;IACjB,IAAI,EAAE,SAAS;IACf,KAAK,EAAE,UAAU;CAClB,CAAC;AAEF;;;;;GAKG;AACH,MAAM,UAAU,QAAQ,CAAC,IAAY;IACnC,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC;IACrC,OAAO,WAAW,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,SAAS,CAAC;AAC1D,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,cAAc,CAAC,IAAY;IACzC,MAAM,WAAW,GAAG,QAAQ,CAAC,IAAI,CAAC,CAAC;IACnC,IAAI,WAAW,EAAE,CAAC;QAChB,WAAW,CAAC,WAAW,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,WAAW,CAAC;AACrB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,eAAe,CAAC,IAAY;IAC1C,MAAM,WAAW,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;IAEnD,IAAI,WAAW,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,WAAW,KAAK,OAAO;QAAE,OAAO,KAAK,CAAC;IAC1C,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;GAIG;AACH,MAAM,UAAU,SAAS,CAAC,KAAc;IACtC,WAAW,CAAC,KAAc,CAAC,CAAC;AAC9B,CAAC;AAuBD,MAAM,UAAU,SAAS,CACvB,IAAY,EACZ,KAAmC,EACnC,YAA+B;IAE/B,WAAW,CAAC,IAAI,EAAE,KAAK,IAAI,YAAY,CAAC,CAAC;AAC3C,CAAC"}

package/lib/format-publish-result.js

@@ -10,10 +10,11 @@ const CONTENTS_BANNER = "=== Contents ===";
  * @returns Formatted string.
  */
 export function formatPublishResult(manifest, options, result) {
-    const lines = [];
-    lines.push(result.id === undefined
-        ? `🙅‍♀️ ${manifest.name}@${manifest.version} already published.`
-        : `📦 ${result.id}`);
+    const lines = [
+        result.id === undefined
+            ? `🙅‍♀️ ${manifest.name}@${manifest.version} already published.`
+            : `📦 ${result.id}`,
+    ];
     if (result.files.length > 0) {
         lines.push("", CONTENTS_BANNER);
     }

package/lib/format-publish-result.js.map

@@ -1 +1 @@
-{"version":3,"file":"format-publish-result.js","sourceRoot":"","sources":["../src/format-publish-result.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AAMzB,MAAM,cAAc,GAClB,iEAAiE,CAAC;AAEpE,MAAM,eAAe,GAAG,kBAAkB,CAAC;AAE3C;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAyB,EACzB,OAA0B,EAC1B,MAAqB;IAErB,MAAM,KAAK,GAAG,EAAE,CAAC;IAEjB,KAAK,CAAC,IAAI,CACR,MAAM,CAAC,EAAE,KAAK,SAAS;QACrB,CAAC,CAAC,SAAS,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,qBAAqB;QACjE,CAAC,CAAC,MAAM,MAAM,CAAC,EAAE,EAAE,CACtB,CAAC;IAEF,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,eAAe,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO,CACL,OAAO,CAAC,MAAM,CAAC,KAAK;QAClB,CAAC,CAAC,CAAC,cAAc,EAAE,EAAE,EAAE,GAAG,KAAK,EAAE,EAAE,EAAE,cAAc,CAAC;QACpD,CAAC,CAAC,KAAK,CACV,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,IAAY,EAAU,EAAE;IAC1C,IAAI,IAAI,GAAG,IAAI,EAAE,CAAC;QAChB,OAAO,GAAG,IAAI,IAAI,CAAC;IACrB,CAAC;IACD,IAAI,IAAI,GAAG,SAAS,EAAE,CAAC;QACrB,OAAO,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAC1C,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,GAAG,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/C,CAAC,CAAC"}
+{"version":3,"file":"format-publish-result.js","sourceRoot":"","sources":["../src/format-publish-result.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AAMzB,MAAM,cAAc,GAClB,iEAAiE,CAAC;AAEpE,MAAM,eAAe,GAAG,kBAAkB,CAAC;AAE3C;;;;;;;GAOG;AACH,MAAM,UAAU,mBAAmB,CACjC,QAAyB,EACzB,OAA0B,EAC1B,MAAqB;IAErB,MAAM,KAAK,GAAG;QACZ,MAAM,CAAC,EAAE,KAAK,SAAS;YACrB,CAAC,CAAC,SAAS,QAAQ,CAAC,IAAI,IAAI,QAAQ,CAAC,OAAO,qBAAqB;YACjE,CAAC,CAAC,MAAM,MAAM,CAAC,EAAE,EAAE;KACtB,CAAC;IAEF,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC5B,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,eAAe,CAAC,CAAC;IAClC,CAAC;IAED,KAAK,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,IAAI,EAAE,CAAC,CAAC;IAC7C,CAAC;IAED,OAAO,CACL,OAAO,CAAC,MAAM,CAAC,KAAK;QAClB,CAAC,CAAC,CAAC,cAAc,EAAE,EAAE,EAAE,GAAG,KAAK,EAAE,EAAE,EAAE,cAAc,CAAC;QACpD,CAAC,CAAC,KAAK,CACV,CAAC,IAAI,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC;AACjB,CAAC;AAED,MAAM,UAAU,GAAG,CAAC,IAAY,EAAU,EAAE;IAC1C,IAAI,IAAI,GAAG,IAAI,EAAE,CAAC;QAChB,OAAO,GAAG,IAAI,IAAI,CAAC;IACrB,CAAC;IACD,IAAI,IAAI,GAAG,SAAS,EAAE,CAAC;QACrB,OAAO,GAAG,CAAC,IAAI,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;IAC1C,CAAC;IAED,OAAO,GAAG,CAAC,IAAI,GAAG,SAAS,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,KAAK,CAAC;AAC/C,CAAC,CAAC"}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@jsdevtools/npm-publish",
   "description": "Fast, easy publishing to NPM",
-  "version": "4.1.0",
+  "version": "4.1.2",
   "keywords": [
     "github-action",
     "npm",
@@ -52,32 +52,32 @@
     "provenance": true
   },
   "devDependencies": {
-    "@actions/core": "^1.11.1",
-    "@mcous/eslint-config": "^0.7.0",
+    "@actions/core": "^2.0.1",
+    "@mcous/eslint-config": "^0.8.0",
     "@mcous/prettier-config": "^0.4.0",
     "@mcous/typescript-config": "^0.3.0",
     "@types/command-line-args": "^5.2.3",
-    "@types/node": "^24.4.0",
+    "@types/node": "^25.0.3",
     "@types/validate-npm-package-name": "^4.0.2",
-    "@vitest/coverage-v8": "^3.2.4",
+    "@vitest/coverage-v8": "^4.0.16",
     "concurrently": "^9.2.1",
-    "eslint": "^9.35.0",
-    "eslint-plugin-jsdoc": "^57.0.8",
-    "globals": "^16.4.0",
-    "prettier": "^3.6.2",
-    "prettier-plugin-jsdoc": "^1.3.3",
-    "rimraf": "^6.0.1",
-    "rolldown": "1.0.0-beta.37",
+    "eslint": "^9.39.2",
+    "eslint-plugin-jsdoc": "^61.5.0",
+    "globals": "^17.0.0",
+    "prettier": "^3.7.4",
+    "prettier-plugin-jsdoc": "^1.8.0",
+    "rimraf": "^6.1.2",
+    "rolldown": "1.0.0-beta.58",
     "typescript": "^5.9.2",
-    "vitest": "^3.2.4",
-    "vitest-when": "^0.8.0"
+    "vitest": "^4.0.16",
+    "vitest-when": "^0.10.0"
   },
   "dependencies": {
     "@types/semver": "^7.7.1",
     "command-line-args": "6.0.1",
-    "semver": "7.7.2",
-    "tar": "7.4.3",
-    "validate-npm-package-name": "^6.0.2"
+    "semver": "7.7.3",
+    "tar": "7.5.2",
+    "validate-npm-package-name": "^7.0.1"
   },
-  "packageManager": "pnpm@10.16.1+sha256.b77e92ba0d59a6372b6c5041bbb3f866fb85e927df333827f0c7f577c5e1a713"
+  "packageManager": "pnpm@10.27.0+sha512.72d699da16b1179c14ba9e64dc71c9a40988cbdc65c264cb0e489db7de917f20dcf4d64d8723625f2969ba52d4b7e2a1170682d9ac2a5dcaeaab732b7e16f04a"
 }

package/src/action/core.ts

@@ -1,4 +1,4 @@
-/** Wrapper module for @actions/core */
+/** Wrapper module for `@actions/core` */
 import {
   debug as ghLogDebug,
   error as ghLogError,
@@ -11,7 +11,7 @@ import {
 
 import type { Logger } from "../options.js";
 
-/** Logger using the methods from @actions/core. */
+/** Logger using the methods from `@actions/core`. */
 export const logger: Logger = {
   debug: ghLogDebug,
   info: ghLogInfo,

package/src/format-publish-result.ts

@@ -22,13 +22,11 @@ export function formatPublishResult(
   options: NormalizedOptions,
   result: PublishResult
 ): string {
-  const lines = [];
-
-  lines.push(
+  const lines = [
     result.id === undefined
       ? `🙅‍♀️ ${manifest.name}@${manifest.version} already published.`
-      : `📦 ${result.id}`
-  );
+      : `📦 ${result.id}`,
+  ];
 
   if (result.files.length > 0) {
     lines.push("", CONTENTS_BANNER);