11ai-npm-publishing
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseNpm Publishing
Npm 发布
Overview
概述
Use this skill to make a repo publish-ready and to publish it safely with a short, repeatable workflow.
Prefer the smallest set of changes that gets the package publishable. Keep package contents explicit, verify the tarball before publish, and treat auth and org permissions as separate from package configuration.
使用这个skill可以让代码库具备发布条件,并通过简短可复用的工作流安全地完成发布。
优先使用最少的修改让包满足发布要求。保持包内容明确,发布前校验tarball,将鉴权和组织权限与包配置分开处理。
Workflow
工作流
-
Inspect the package root. Read, check the intended entry point, and inspect the folders that should ship. If
package.jsonis configured, check for a dedicated release config file such assemantic-releaseand treat that as the source of truth over older inline config examples..releaserc.js -
Align package metadata with the intended publish target. Ensure the scoped package name is correct. Setwhen the package must publish. Add
"private": falsefor public scoped packages. Set"publishConfig": { "access": "public" }ormainto a real entry file. Add aexportsarray when the package should publish only selected paths.files -
Protect secrets and local publish config. Ignorefiles in
.env. Prefer reading.gitignorefrom a localNPM_TOKENfile instead of hardcoding credentials in.env.package.json -
Add or update repo-local publish commands. If the repo needs a reusable publish flow, add a small Node script rather than a long inline one-liner in. Keep the script at a stable path such as
package.json. Prefer a temporary npm config file over passing the token on the command line. Use the helper at scripts/publish-with-local-token.cjs as the starting point when the repo does not already have its own version../scripts/publish-public-w-local-token.cjs -
Verify publish contents before release. Runor the repo's equivalent script. Confirm the tarball includes the intended files and excludes local secrets or unrelated workspace files.
npm pack --dry-run -
Choose the publish mode. For one-off local publishing, use a repo-local helper that readsfrom
NPM_TOKEN. For automated publishing from GitHub, prefer.envon pushes tosemantic-release. When the repo already usesmain, preserve the existing config shape, plugin order, and workflow naming unless the user explicitly wants a migration.semantic-release -
Publish. For scoped public packages, use. If the repo uses a local token helper, ensure
npm publish --access publiccontains.envfirst. If the repo usesNPM_TOKEN=..., ensure the workflow hassemantic-releaseand anGITHUB_TOKENsecret available.NPM_TOKEN -
Troubleshoot failures by category. For package-content issues, revisit,
main, andexports. For 403 errors, separate "wrong credentials" from "org requires 2FA or bypass-enabled token." For local permission or shell issues, inspect the execution environment before changing npm config. For automated releases that do not trigger, inspect branch filters, workflow permissions, and commit message format. Forfilestrying to publishsemantic-releasefor an already-published package, bootstrap the repo with the existing published version tag before rerunning release automation.1.0.0
-
检查包根目录。 读取,检查预期的入口点,查看需要发布的文件夹。 如果已经配置了
package.json,检查是否有专门的发布配置文件(如semantic-release),并将其作为优先于旧的内联配置示例的事实标准。.releaserc.js -
让包元数据与预期的发布目标对齐。 确保作用域包名称正确。 当包需要发布时,设置。 为公开的作用域包添加
"private": false。 将"publishConfig": { "access": "public" }或main设置为真实存在的入口文件。 当包仅需要发布指定路径时,添加exports数组。files -
保护密钥和本地发布配置。 在中忽略
.gitignore文件。 优先从本地.env文件读取.env,而不是在NPM_TOKEN中硬编码凭证。package.json -
添加或更新代码库本地的发布命令。 如果代码库需要可复用的发布流程,添加一个简短的Node脚本,而不是在中写很长的内联单行命令。 将脚本放在稳定的路径下,例如
package.json。 优先使用临时npm配置文件,而不是在命令行中传递令牌。 当代码库没有自带的发布脚本时,可以使用scripts/publish-with-local-token.cjs中的工具作为起点。./scripts/publish-public-w-local-token.cjs -
发布前校验发布内容。 运行或者代码库中对应的等价脚本。 确认tarball包含预期的文件,排除了本地密钥或者无关的工作区文件。
npm pack --dry-run -
选择发布模式。 对于一次性本地发布,使用从读取
.env的代码库本地辅助工具。 对于从GitHub自动发布的场景,优先使用推送到NPM_TOKEN分支时触发的main。 当代码库已经在使用semantic-release时,保留现有的配置结构、插件顺序和工作流命名,除非用户明确需要迁移。semantic-release -
发布。 对于公开作用域包,使用。 如果代码库使用本地令牌辅助工具,首先确保
npm publish --access public中包含.env。 如果代码库使用NPM_TOKEN=...,确保工作流可以获取到semantic-release和GITHUB_TOKEN密钥。NPM_TOKEN -
按类别排查故障。 对于包内容问题,重新检查、
main和exports配置。 对于403错误,区分“凭证错误”和“组织要求2FA或者启用了旁路的令牌”两种情况。 对于本地权限或者shell问题,在修改npm配置前先检查执行环境。 对于没有触发的自动发布,检查分支过滤器、工作流权限和提交信息格式。 对于files试图为已经发布过的包发布semantic-release的问题,在重新运行发布自动化前,给代码库打上已发布的现有版本标签。1.0.0
Quick Checks
快速检查项
- Entry file exists at the path named by or
mainexports - includes the paths that should ship
files - is
publishConfig.accessfor public scoped packages"public" - is ignored by git
.env - output looks correct
npm pack --dry-run - Active npm account or token has permission to publish under the target scope
- 或
main指定路径下的入口文件存在exports - 包含了需要发布的路径
files - 公开作用域包的设置为
publishConfig.access"public" - 被git忽略
.env - 的输出符合预期
npm pack --dry-run - 活跃的npm账号或者令牌有权限在目标作用域下发布
References
参考资料
Read references/publish-checklist.md for a concise pre-publish checklist and common failure modes.
Read references/semantic-release.md when the repo should publish automatically from GitHub Actions.
阅读references/publish-checklist.md获取简洁的发布前检查清单和常见故障模式。
当代码库需要通过GitHub Actions自动发布时,阅读references/semantic-release.md。
Scripts
脚本
Use scripts/publish-with-local-token.cjs as a reusable template when a repo needs to publish with stored in a root on Windows, macOS, or Linux.
NPM_TOKEN.env当代码库需要使用存储在根目录中的在Windows、macOS或Linux上发布时,可以使用scripts/publish-with-local-token.cjs作为可复用模板。
.envNPM_TOKEN