npm-trustme
Overview
Automate npm Trusted Publisher setup in the npm web UI. Requires a one-time WebAuthn approval in a real browser session (passkey or security key).
CLI Quick Start
- •One-time if browsers are missing:
npx playwright install - •Ensure (create if missing):
npx npm-trustme ensure --yes ... - •Check only:
npx npm-trustme check ... - •Generate workflow:
npx npm-trustme workflow init - •Doctor:
npx npm-trustme doctor - •Non-interactive install:
npx npm-trustme install --non-interactive ...
Required Target Inputs
- •Required:
--package,--owner,--repo,--workflow - •Optional:
--publishing-access,--environment,--maintainer
Default inference:
- •package:
package.json#name - •owner/repo:
git remote origin - •workflow:
.github/workflows/npm-release.ymlor the only workflow file
Examples
Check:
code
npx npm-trustme check \ --package <PACKAGE_NAME> \ --owner <GITHUB_OWNER> \ --repo <GITHUB_REPO> \ --workflow <WORKFLOW_FILE> \ --publishing-access <PUBLISHING_ACCESS>
Ensure (create if missing):
code
npx npm-trustme ensure \ --package <PACKAGE_NAME> \ --owner <GITHUB_OWNER> \ --repo <GITHUB_REPO> \ --workflow <WORKFLOW_FILE> \ --publishing-access <PUBLISHING_ACCESS> \ --yes
Non-interactive install (single package):
code
npx npm-trustme install --non-interactive \ --package <PACKAGE_NAME> \ --owner <GITHUB_OWNER> \ --repo <GITHUB_REPO> \ --workflow <WORKFLOW_FILE> \ --publishing-access disallow-tokens \ --headless \ --storage ~/.npm-trustme/storage.json
Non-interactive install (monorepo):
code
npx npm-trustme install --non-interactive \ --all-packages \ --owner <GITHUB_OWNER> \ --repo <GITHUB_REPO> \ --workflow npm-release.yml \ --publishing-access disallow-tokens
Targets file (JSON/YAML):
code
targets:
- packageName: my-pkg
owner: my-org
repo: my-repo
workflow: npm-release.yml
environment: npm
publishingAccess: disallow-tokens
Workflow write in non-interactive install:
code
npx npm-trustme install --non-interactive \ --workflow-init \ --workflow-file npm-release.yml \ --workflow-pm pnpm \ --workflow-node 24 \ --workflow-trigger release \ --workflow-dispatch true \ --workflow-build-command "pnpm build" \ --workflow-publish-command "npm publish --access public --provenance"
Dedicated Chrome (keeps main browser open):
code
npx npm-trustme chrome start npx npm-trustme ensure --yes
Notes
- •
--env-filecan load a specific.envpath. - •
--storagecan persist Playwright storage state for faster re-runs. - •Inline cookies (Sweet Cookie format) are supported:
--inline-cookies-json,--inline-cookies-base64, or--inline-cookies-file. - •Requires Node >= 22 (Sweet Cookie uses node:sqlite).
- •Chrome profile reuse (manual session):
--chrome-profile/--chrome-profile-dir/--chrome-user-data-dir/--chrome-path. - •Connect to an existing Chrome:
--chrome-cdp-urlor--chrome-debug-port(Chrome must be launched with remote debugging). - •Cookie import:
--import-cookies(default true) to copy npm cookies from your main Chrome profile. - •
npm-trustme ensureprompts for confirmation; use--yesin automated/agent runs. - •
npm-trustme install --non-interactiverequires all target fields; use--targets-filefor per-package overrides. - •For headless runs, provide
--storageor inline cookies to avoid interactive login/2FA.