使用 Changesets 管理版本号,配合 GitHub OIDC 凭证直接发布到 npmjs.com,整个流程无需手动配置 npm token,安全且自动化。
核心配置要点
1. npmjs.com 配置 Trusted Publisher
在 npmjs.com → 你发布的包 → Settings → Add GitHub repository 将包与 GitHub 仓库关联。后续即可通过 OIDC 自动发布。
2. GitHub 允许 Changesets 创建 PR
在 GitHub repo → Settings → Actions → General → Workflow permissions,勾选 Read and write permissions,并勾选 Allow GitHub Actions to create and pull requests。
3. package.json 关键配置
{
"packageManager": "pnpm@9.15.0",
"publishConfig": {
"access": "public"
},
"scripts": {
"release": "pnpm run build && changeset publish"
}
}
注意:release 不能叫 publish,否则会重复执行。
4. github workflow示例代码
- node版本必须大于22才能支持OIDC.
# .github/workflows/publish.yml
name: Publish Package
on:
push:
branches:
- main
permissions:
contents: write
pull-requests: write # 用于 Changesets 创建 PR
id-token: write
deployments: write
concurrency: ${{ github.workflow }}-${{ github.ref }} # 避免重复发布,旧的action运行完成后才会执行新的
jobs:
release:
name: Release & Publish
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0 # 必须获取完整历史,Changesets 才能计算变更
- uses: pnpm/action-setup@v3
- uses: actions/setup-node@v4
with:
node-version: 24 # 必须大于22才能支持OIDC
cache: "pnpm"
registry-url: "https://registry.npmjs.org"
- run: pnpm install --frozen-lockfile
- name: Create Release PR or Publish
id: changesets
uses: changesets/action@v1
with:
publish: pnpm release
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # for write repo