The documentation for npm Trusted Publishers (OIDC) at
https://docs.npmjs.com/trusted-publishers does not currently explain how to publish a package for the first time using this mechanism.
While the guide covers how to configure and use trusted publishing for existing packages, it lacks clarity on the initial publishing workflow.
In our case, attempting to publish a package for the first time using a GitHub Actions workflow with OIDC failed. The publish step did not succeed when the package did not yet exist on NPM.
As a workaround, we had to:
- Perform the first publish manually (outside of OIDC / Trusted Publishers), this is something we would like to avoid
- After the initial release existed on npm, subsequent releases using the GitHub Action with Trusted Publishers worked as expected
Documentation should explain how to handle first-time publishing with Trusted Publishers, including whether a manual initial publish is required.
The documentation for npm Trusted Publishers (OIDC) at
https://docs.npmjs.com/trusted-publishers does not currently explain how to publish a package for the first time using this mechanism.
While the guide covers how to configure and use trusted publishing for existing packages, it lacks clarity on the initial publishing workflow.
In our case, attempting to publish a package for the first time using a GitHub Actions workflow with OIDC failed. The publish step did not succeed when the package did not yet exist on NPM.
As a workaround, we had to:
Documentation should explain how to handle first-time publishing with Trusted Publishers, including whether a manual initial publish is required.