Publishing npm packages to multiple registries with Github actions

March 14, 20213 min read

This blog post covers what you need to know in order to automate publishing an npm package to Npm and Github package registries. It can also be useful if you want to publish a package only into one of the mentioned registries.

Github actions

Github action is a CI/CD tool integrated within Github repositories that can run different kinds of jobs (building, testing, deployment) when code is pushed to specific branches. The configuration file should be stored in .github/workflows inside the package repository.

Package registries

There are two main npm package registries, Npm and Github package registries (GPR), which are available at registry.npmjs.org and npm.pkg.github.com respectively. The scope lets you group the packages (e.g. @OWNER/PACKAGE), it is required for every published package at GPR, while it is optional to use it at the Npm package registry. In this article, both of the registries will use the scope.

Prerequisites for publishing

In order to publish packages with Github actions, using an access token is required. For Npm new access token can be generated on the Access Tokens page, Automation access token is the most suitable for CI/CD pipeline. For Github, generated personal access token should have repo and write:packages scopes. To avoid exposing the credentials in the codebase, the Github action configuration file should use repository secrets. The package version should be incremented in regards to previously published version.


publish job contains commands for setting up the default registry, auth tokens, and running the publish script.

# .github/workflows/config.yml
# ...
# ...
needs: lint-test-audit
runs-on: ubuntu-latest
# ...
- name: Set package registry
run: npm config set registry https://npm.pkg.github.com
- name: Github package registry authentication
run: npm set //npm.pkg.github.com/:_authToken ${{ secrets.GPR_TOKEN }}
- name: Npm registry authentication
run: npm set //registry.npmjs.org/:_authToken ${{ secrets.NPM_TOKEN }}
- name: Publish the package to Github and Npm package registries
run: npm publish

postpublish npm script will trigger publishing to Npm package registry.

"scripts": {
"postpublish": "npm run publish-npm",
"publish-npm": "npm publish --access public --ignore-scripts --@OWNER:registry='https://registry.npmjs.org'"

Package installation

After successfully publishing the public package, taking into account that the latest published versions of the package in both of the registries are the same, the package can be installed locally without any additional setup, it will use the Npm package registry as default one. If the user wants to install the package from GPR, the scoped registry has to be configured and the user has to be logged in into the registry.

npm config set @OWNER:registry https://npm.pkg.github.com
npm login --scope=@OWNER --registry=https://npm.pkg.github.com


A working example is available at https://github.com/zsevic/orbit-pdf

Željko Šević

Željko Šević

Software Engineer, Node.js Developer


© 2021