Summary
Publishing to an npm-compatible registry that isn't registry.npmjs.org (GitHub Packages, Verdaccio, Artifactory/JFrog, AWS CodeArtifact, Gitea, Cloudsmith, …) mostly works today, but there's an auth rough edge and almost no docs. Splitting out from the snapshot/private-registry work (#126 / #133).
How it works today
Registry selection is well-supported — bumpy shells out to npm publish, so it honors all the standard mechanisms:
- per-package
registry in bumpy config → adds --registry <url> to publish and to the published-version checks (buildPublishArgs, checkIfPublished, fetchPublishedVersions)
- npm-native
publishConfig.registry in package.json
.npmrc registry= / @scope:registry= mappings
The gap: auth
bumpy's convenience that turns NPM_TOKEN/NODE_AUTH_TOKEN into an .npmrc line is hardcoded to //registry.npmjs.org/:
packages/bumpy/src/core/publish-pipeline.ts (setupNpmAuth):
const authLine = '//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}';For any other registry, that auto-written line won't authenticate. It does work if the user pre-configures .npmrc themselves — bumpy detects an existing :_authToken= and uses it untouched — so the current supported path is:
- CI:
actions/setup-node with registry-url + scope (writes the correct //host/:_authToken=${NODE_AUTH_TOKEN} line), or
- write the
.npmrc auth line manually.
(OIDC trusted publishing is npmjs.org-only, so alternative registries use token auth.)
Proposed work
-
Docs (primary). Add a "Publishing to other registries" section covering:
- GitHub Packages (scope must match owner,
https://npm.pkg.github.com, GITHUB_TOKEN/PAT auth)
- generic custom registry (Verdaccio/Artifactory/etc.) via per-package
registry / publishConfig.registry
- the auth requirement: pre-configured
.npmrc (setup-node registry-url + scope, or manual), since NPM_TOKEN only wires npmjs.org
- note that OIDC is npmjs.org-only
-
Optional code enhancement. When a registry is configured (per-package or publishConfig.registry) and a token is present, write the auth line for that host instead of hardcoding registry.npmjs.org, so NPM_TOKEN works without a manual .npmrc. Edge cases to consider: multiple packages → multiple registry hosts, host extraction from the URL, and per-registry tokens (a single NPM_TOKEN may not be valid for all hosts).
Acceptance
- Docs explain how to publish to at least GitHub Packages and a generic custom registry, including the auth setup.
- Decide whether to keep auth purely user-configured (
.npmrc/setup-node) or auto-wire it from the configured registry.
Summary
Publishing to an npm-compatible registry that isn't registry.npmjs.org (GitHub Packages, Verdaccio, Artifactory/JFrog, AWS CodeArtifact, Gitea, Cloudsmith, …) mostly works today, but there's an auth rough edge and almost no docs. Splitting out from the snapshot/private-registry work (#126 / #133).
How it works today
Registry selection is well-supported — bumpy shells out to
npm publish, so it honors all the standard mechanisms:registryin bumpy config → adds--registry <url>to publish and to the published-version checks (buildPublishArgs,checkIfPublished,fetchPublishedVersions)publishConfig.registryinpackage.json.npmrcregistry=/@scope:registry=mappingsThe gap: auth
bumpy's convenience that turns
NPM_TOKEN/NODE_AUTH_TOKENinto an.npmrcline is hardcoded to//registry.npmjs.org/:packages/bumpy/src/core/publish-pipeline.ts(setupNpmAuth):For any other registry, that auto-written line won't authenticate. It does work if the user pre-configures
.npmrcthemselves — bumpy detects an existing:_authToken=and uses it untouched — so the current supported path is:actions/setup-nodewithregistry-url+scope(writes the correct//host/:_authToken=${NODE_AUTH_TOKEN}line), or.npmrcauth line manually.(OIDC trusted publishing is npmjs.org-only, so alternative registries use token auth.)
Proposed work
Docs (primary). Add a "Publishing to other registries" section covering:
https://npm.pkg.github.com,GITHUB_TOKEN/PAT auth)registry/publishConfig.registry.npmrc(setup-noderegistry-url+scope, or manual), sinceNPM_TOKENonly wires npmjs.orgOptional code enhancement. When a registry is configured (per-package or
publishConfig.registry) and a token is present, write the auth line for that host instead of hardcoding registry.npmjs.org, soNPM_TOKENworks without a manual.npmrc. Edge cases to consider: multiple packages → multiple registry hosts, host extraction from the URL, and per-registry tokens (a singleNPM_TOKENmay not be valid for all hosts).Acceptance
.npmrc/setup-node) or auto-wire it from the configured registry.