You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The publish GitHub Actions job was failing during npm publish with a registry E404, despite building the package tarball correctly. The workflow's publish job was missing the environment property required for npm's OIDC trusted publisher authentication.
Root cause
The publish job in .github/workflows/publish.yml lacked an environment property, so the OIDC token claims did not match the npm trusted publisher configuration, causing npm to reject the publish with E404.
Workflow change
Added environment: release to the publish job so the OIDC token claims include the correct environment, allowing npm to verify the trusted publisher link and authenticate the publish request automatically — no NODE_AUTH_TOKEN or manual npm secret needed.
Scope
Single-file workflow-only change in .github/workflows/publish.yml (no runtime/package logic changes).
Note: A GitHub environment named release must exist in the repository settings (Settings → Environments), and the npm trusted publisher configuration must use release as the environment name.
@copilot i am using the new npm trusted publisher, and i've added this repo as trusted publisher, fix the issue based on that, read the docssss
Reverted the NODE_AUTH_TOKEN approach — not needed with OIDC trusted publishers. The root cause of the E404 was the missing environment property on the publish job. npm requires the OIDC token claims to include the environment name matching your trusted publisher configuration.
Added environment: release to the publish job. If you configured a different environment name in your npm trusted publisher settings, update it to match. You'll also need a GitHub environment called release in your repo settings (Settings → Environments → New environment → "release").
Commit: cc52cfa
CopilotAI
changed the title
Ensure npm auth token is explicitly wired in publish workflow
Fix publish workflow for npm OIDC trusted publishing
Jun 16, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The
publishGitHub Actions job was failing duringnpm publishwith a registryE404, despite building the package tarball correctly. The workflow's publish job was missing theenvironmentproperty required for npm's OIDC trusted publisher authentication.Root cause
publishjob in.github/workflows/publish.ymllacked anenvironmentproperty, so the OIDC token claims did not match the npm trusted publisher configuration, causing npm to reject the publish with E404.Workflow change
environment: releaseto thepublishjob so the OIDC token claims include the correct environment, allowing npm to verify the trusted publisher link and authenticate the publish request automatically — noNODE_AUTH_TOKENor manual npm secret needed.Scope
.github/workflows/publish.yml(no runtime/package logic changes).