Agent skill
npm-trustme
Automate npm Trusted Publisher setup via the npm-trustme CLI. Use when configuring or verifying npm Trusted Publishers for GitHub Actions with npx npm-trustme, including browser automation and WebAuthn passkey approval.
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/development/npm-trustme
SKILL.md
npm-trustme
Overview
Automate npm Trusted Publisher setup in the npm web UI. Requires a one-time WebAuthn approval in a real browser session (passkey or security key).
CLI Quick Start
- One-time if browsers are missing:
npx playwright install - Ensure (create if missing):
npx npm-trustme ensure --yes ... - Check only:
npx npm-trustme check ... - Generate workflow:
npx npm-trustme workflow init - Doctor:
npx npm-trustme doctor - Non-interactive install:
npx npm-trustme install --non-interactive ...
Required Target Inputs
- Required:
--package,--owner,--repo,--workflow - Optional:
--publishing-access,--environment,--maintainer
Default inference:
- package:
package.json#name - owner/repo:
git remote origin - workflow:
.github/workflows/npm-release.ymlor the only workflow file
Examples
Check:
npx npm-trustme check \
--package <PACKAGE_NAME> \
--owner <GITHUB_OWNER> \
--repo <GITHUB_REPO> \
--workflow <WORKFLOW_FILE> \
--publishing-access <PUBLISHING_ACCESS>
Ensure (create if missing):
npx npm-trustme ensure \
--package <PACKAGE_NAME> \
--owner <GITHUB_OWNER> \
--repo <GITHUB_REPO> \
--workflow <WORKFLOW_FILE> \
--publishing-access <PUBLISHING_ACCESS> \
--yes
Non-interactive install (single package):
npx npm-trustme install --non-interactive \
--package <PACKAGE_NAME> \
--owner <GITHUB_OWNER> \
--repo <GITHUB_REPO> \
--workflow <WORKFLOW_FILE> \
--publishing-access disallow-tokens \
--headless \
--storage ~/.npm-trustme/storage.json
Non-interactive install (monorepo):
npx npm-trustme install --non-interactive \
--all-packages \
--owner <GITHUB_OWNER> \
--repo <GITHUB_REPO> \
--workflow npm-release.yml \
--publishing-access disallow-tokens
Targets file (JSON/YAML):
targets:
- packageName: my-pkg
owner: my-org
repo: my-repo
workflow: npm-release.yml
environment: npm
publishingAccess: disallow-tokens
Workflow write in non-interactive install:
npx npm-trustme install --non-interactive \
--workflow-init \
--workflow-file npm-release.yml \
--workflow-pm pnpm \
--workflow-node 24 \
--workflow-trigger release \
--workflow-dispatch true \
--workflow-build-command "pnpm build" \
--workflow-publish-command "npm publish --access public --provenance"
Dedicated Chrome (keeps main browser open):
npx npm-trustme chrome start
npx npm-trustme ensure --yes
Notes
--env-filecan load a specific.envpath.--storagecan persist Playwright storage state for faster re-runs.- Inline cookies (Sweet Cookie format) are supported:
--inline-cookies-json,--inline-cookies-base64, or--inline-cookies-file. - Requires Node >= 22 (Sweet Cookie uses node:sqlite).
- Chrome profile reuse (manual session):
--chrome-profile/--chrome-profile-dir/--chrome-user-data-dir/--chrome-path. - Connect to an existing Chrome:
--chrome-cdp-urlor--chrome-debug-port(Chrome must be launched with remote debugging). - Cookie import:
--import-cookies(default true) to copy npm cookies from your main Chrome profile. npm-trustme ensureprompts for confirmation; use--yesin automated/agent runs.npm-trustme install --non-interactiverequires all target fields; use--targets-filefor per-package overrides.- For headless runs, provide
--storageor inline cookies to avoid interactive login/2FA.
Didn't find tool you were looking for?