Forem: Ghislain B. The latest articles on Forem by Ghislain B. (@ghiscoding). https://forem.com/ghiscoding https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F234628%2F5e237f4d-ada1-40a7-88fe-6fe84713ec8e.jpeg Forem: Ghislain B. https://forem.com/ghiscoding en OIDC Trusted Publishing with Lerna-Lite Ghislain B. Tue, 30 Sep 2025 05:13:22 +0000 https://forem.com/ghiscoding/oidc-trusted-publishing-with-lerna-lite-1o98 https://forem.com/ghiscoding/oidc-trusted-publishing-with-lerna-lite-1o98 <p><em>This article is a follow-up of a previous article that I wrote couple years ago: <a href="https://dev.to/ghiscoding/how-to-publish-on-npm-with-provenance-using-lerna-lite-3cjf">How to publish on npm with <code>--provenance</code> using Lerna-Lite</a></em></p> <p>You can now use OIDC Trusted Publishing to publish your packages to NPM, this process is described on the NPM blog as:</p> <p><a href="https://docs.npmjs.com/trusted-publishers" rel="noopener noreferrer">https://docs.npmjs.com/trusted-publishers</a></p> <blockquote> <p>Trusted Publishing with OpenID Connect (OIDC) for all users, marking a significant milestone for JavaScript supply chain security. This authentication method eliminates the need for long-lived tokens in CI/CD workflows, replacing them with short-lived, cryptographically-secured credentials that reduce the attack surface for package publishing.</p> </blockquote> <p>Also note that this process will also publish with Provenance out of the box.</p> <blockquote> <p>provenance data gives consumers a verifiable way to link a package back to its source repository and the specific build instructions used to publish it</p> </blockquote> <h3> What is Lerna-Lite? </h3> <p>From Lerna's website, it is described as</p> <blockquote> <p>Lerna is a fast, modern build system for managing and publishing multiple JavaScript/TypeScript packages from the same repository.</p> </blockquote> <p><a href="https://github.com/lerna-lite/lerna-lite" rel="noopener noreferrer">Lerna-Lite</a> is a lighter version of Lerna (every commands are optional in Lerna-Lite) as opposed to Lerna which is a "all-in-one" tool. Another difference is that the newest Lerna version has Nx as a dependency, but on the other hand Lerna-Lite does not require neither use Nx.</p> <h3> What you will need </h3> <ol> <li>Go to each of your NPM monorepo packages and add a Trusted Publisher via the "Settings" (currently supported publishers are "GitHub Actions" and "GitLab CI/CD"</li> <li>Take a look at the "Publishing Access", it's recommended to set it to "Require two-factor authentication and disallow tokens"</li> <li>Repeat step 1 and 2 for all your monorepo packages (hopefully in the future, NPM will bring a global setup, but for now we have to change them one-by-one)</li> </ol> <p>You can see a super basic demo at this link:<br> <a href="https://github.com/lerna-lite-test/oidc" rel="noopener noreferrer">https://github.com/lerna-lite-test/oidc</a></p> <p>This basic demo has the following configuration set as Trusted Publisher:</p> <p><a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fuser-attachments%2Fassets%2F7595a662-8ec1-41bc-aa97-03af3a1b036b" class="article-body-image-wrapper"><img alt="Image" src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fgithub.com%2Fuser-attachments%2Fassets%2F7595a662-8ec1-41bc-aa97-03af3a1b036b" width="911" height="915"></a></p> <h3> Basic Usage </h3> <p>If you already have a Release CI Workflow, then the change is super easy, you just need to get rid of any NPM Token and/or Provenance config and that's about it, you're now good to go with OIDC<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight diff"><code># release.yml ... - name: Lerna Version 🏷️ env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} <span class="gd">- NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} - NPM_CONFIG_PROVENANCE: true </span></code></pre> </div> <p>Or if you want a full sample of a Release CI Workflow, then see below for a basic setup using pnpm, you can tweak it for other package managers.</p> <h5> <code>.github/workflows/release.yml</code> </h5> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">🏷️ Release to NPM</span> <span class="na">on</span><span class="pi">:</span> <span class="na">workflow_dispatch</span><span class="pi">:</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="c1"># required for OIDC</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy-npm-latest</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">timeout-minutes</span><span class="pi">:</span> <span class="m">30</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Clone repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install pnpm</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">pnpm/action-setup@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="m">10</span> <span class="na">run_install</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set NodeJS</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v5</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry-url</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://registry.npmjs.org/'</span> <span class="na">node-version</span><span class="pi">:</span> <span class="m">24</span> <span class="na">cache</span><span class="pi">:</span> <span class="s1">'</span><span class="s">pnpm'</span> <span class="c1"># OIDC requires npm v11.5.1 or later </span> <span class="c1"># or simply use Node 24 to avoid running the next line</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install -g npm@latest</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">node --version</span> <span class="pi">-</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm --version</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run pnpm install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm install</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Build Everything</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm build</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lerna Version 🏷️</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">git config --global user.name "${{ github.actor }}"</span> <span class="s">git config --global user.email "${{ github.actor }}@users.noreply.github.com"</span> <span class="s">pnpm exec lerna version --yes</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lerna Publish 📦</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">shell</span><span class="pi">:</span> <span class="s">bash</span> <span class="na">id</span><span class="pi">:</span> <span class="s">lerna-publish</span> <span class="na">continue-on-error</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pnpm exec lerna publish from-package --force-publish --yes</span> </code></pre> </div> <p>Provenance will also be used by default (you don't even need to enable it, it comes as default).</p> <h4> Conclusion </h4> <p>With that in place, we are now successfully publishing with Provenance with Short Lived Token using Lerna-Lite which makes our toolchain much more secure. Following these steps, you should be able to do the same with your project as well. </p> <p>Also note that you can also do the exact same steps with Lerna (the actual implementation actually came from Lerna, so credit goes to them).</p> <p>See <a href="https://github.com/lerna-lite/lerna-lite/releases/tag/v4.9.0" rel="noopener noreferrer">Lerna-Lite@4.9.0</a> release for more details.</p> lerna lernalite npm How to publish on npm with `--provenance` using Lerna-Lite Ghislain B. Fri, 17 Nov 2023 05:37:22 +0000 https://forem.com/ghiscoding/how-to-publish-on-npm-with-provenance-using-lerna-lite-3cjf https://forem.com/ghiscoding/how-to-publish-on-npm-with-provenance-using-lerna-lite-3cjf <p>I recently started publishing Lerna-Lite project on NPM with Provenance and decided to write a blog post about the steps since it took me quite a few commits to find the best configuration...</p> <h3> What is Provenance? </h3> <p>For a more detailed explanation, I would suggest you read this GitHub blog post <a href="https://github.blog/2023-04-19-introducing-npm-package-provenance/" rel="noopener noreferrer">Introducing npm package provenance</a>, below is a quote pulled from the blog:</p> <blockquote> <p>provenance data gives consumers a verifiable way to link a package back to its source repository and the specific build instructions used to publish it</p> </blockquote> <h3> What is Lerna-Lite? </h3> <p>From Lerna's website, it is described as</p> <blockquote> <p>Lerna is a fast, modern build system for managing and publishing multiple JavaScript/TypeScript packages from the same repository.</p> </blockquote> <p><a href="https://github.com/lerna-lite/lerna-lite" rel="noopener noreferrer">Lerna-Lite</a> is a lighter version of Lerna (every commands are optional in Lerna-Lite) as opposed to Lerna which is a "all-in-one" tool which includes 15 commands. Another difference is that the newest Lerna version has Nx as a dependency, but on the other hand Lerna-Lite does not require neither use Nx. Lastly, Lerna-Lite was created couple months before Nx company took over stewardship of Lerna.</p> <h3> What you will need </h3> <ol> <li>Create an NPM Token for publishing (login on NPM then click on "Access Tokens -&gt; Generate Token -&gt; Classic Token" </li> <li>Go to your GitHub project and add a secret, click on "Settings -&gt; General -&gt; (security) Secret and Variables -&gt; Actions" <ul> <li>add new secret "NPM_TOKEN" and paste your NPM token from previous step.</li> </ul> </li> <li>Create a GitHub Token, go to your GitHub profile click on "Settings -&gt; Developer Settings -&gt; Personal Access Token -&gt; Classic Token and give <code>repo:public_repo</code> scope.</li> <li>Create NPM Scripts for Lerna version/publish</li> <li>Create a GitHub Action Workflow (2 use cases are shown below)</li> <li>Enable provenance via <code>.npmrc</code> or within the workflow a) in <code>.npmrc</code> via <code>provenance=true</code> b) or in the workflow via <code>env: NPM_CONFIG_PROVENANCE: true</code> </li> <li>Execute the workflow</li> </ol> <h3> Use Cases </h3> <h4> a) Basic Usage </h4> <p>Let's start with a basic usage, we'll create a GitHub Action workflow and publish on the registry using NPM to publish with Provenance. </p> <p>Note, I have to admit that I did not personally test this use case, I copied some part from this <a href="https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow" rel="noopener noreferrer">NPM</a> and modified it a bit to demo this use case with Lerna-Lite, however in my case I opted for the second approach with OTP shown further down.</p> <h5> <code>package.json</code> </h5> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ci:publish:latest"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lerna publish --conventional-commits --dist-tag latest --no-verify-access --yes"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h5> <code>.github/workflows/release.yml</code> </h5> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">Publish Package to npmjs</span> <span class="na">on</span><span class="pi">:</span> <span class="na">release</span><span class="pi">:</span> <span class="na">types</span><span class="pi">:</span> <span class="pi">[</span><span class="nv">created</span><span class="pi">]</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">build</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">timeout-minutes</span><span class="pi">:</span> <span class="m">30</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">0</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">node-version</span><span class="pi">:</span> <span class="m">18</span> <span class="c1"># a registry is required to publish</span> <span class="na">registry-url</span><span class="pi">:</span> <span class="s">https://registry.npmjs.org/</span> <span class="na">cache</span><span class="pi">:</span> <span class="s">npm</span> <span class="na">cache-dependency-path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">**/package.json'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">NPM install</span> <span class="na">run</span><span class="pi">:</span> <span class="s">npm install -g npm</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Version &amp; Publish</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">NODE_AUTH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.NPM_TOKEN }}</span> <span class="na">NPM_CONFIG_PROVENANCE</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">git config --global user.name "${{ github.actor }}"</span> <span class="s">git config --global user.email "users.noreply.github.com"</span> <span class="s">npm whoami</span> <span class="s">npm run ci:publish:latest</span> </code></pre> </div> <h4> b) Lerna-Lite's project with pnpm workspace and 2FA (OTP) </h4> <p>For a more extensive and preferred use case which is to use OTP (One Time Password), it is the configuration that we use in Lerna-Lite itself to publish the project with provenance for better security.</p> <p>To deal with the OTP (or any other 2FA), we can use <a href="https://github.com/step-security/wait-for-secrets" rel="noopener noreferrer">wait-for-secrets</a>. When comparing this approach with the previous basic usage, we can see that the Lerna-Lite Version &amp; Publish were split into 2 separate tasks. The reason is simple, calling the OTP too early would timeout even before reaching the publish phase, so calling the OTP just before the publish is ideal to make sure that the token is still valid at the time of the publish. </p> <p>Another thing that is worth considering, though optional, is to add a condition to make sure that the current actor (user currently logged in GitHub) is in the allowed list of users to execute the publish; if not it will simply exit the workflow. You'll need to modify the <code>["user1", "user2"]</code> shown below with your username and anyone else that is allowed to publish. We also use <code>workflow_dispatch</code> to have a prompt to start the workflow, you could also add extra inputs to release a fixed version if you wish.</p> <blockquote> <p><strong>Note</strong> Lerna-Lite/Lerna uses NPM to publish on the registry, even if you set <code>"npmClient": "pnpm"</code> (or Yarn), which is actually a good thing since Yarn does not yet support Provenance.</p> </blockquote> <h5> <code>.npmrc</code> </h5> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>provenance=true </code></pre> </div> <h5> <code>package.json</code> </h5> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"scripts"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"ci:version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lerna version --yes"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ci:publish"</span><span class="p">:</span><span class="w"> </span><span class="s2">"lerna publish from-package --force-publish --yes"</span><span class="p">,</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h5> <code>.github/workflows/release.yml</code> </h5> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">name</span><span class="pi">:</span> <span class="s">🏷️ Publish NPM Latest</span> <span class="na">on</span><span class="pi">:</span> <span class="s">workflow_dispatch</span> <span class="na">permissions</span><span class="pi">:</span> <span class="na">contents</span><span class="pi">:</span> <span class="s">write</span> <span class="na">id-token</span><span class="pi">:</span> <span class="s">write</span> <span class="na">jobs</span><span class="pi">:</span> <span class="na">deploy-npm-latest</span><span class="pi">:</span> <span class="na">runs-on</span><span class="pi">:</span> <span class="s">ubuntu-latest</span> <span class="na">timeout-minutes</span><span class="pi">:</span> <span class="m">30</span> <span class="na">steps</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Clone repository</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/checkout@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">fetch-depth</span><span class="pi">:</span> <span class="m">3</span> <span class="na">token</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="pi">-</span> <span class="na">if</span><span class="pi">:</span> <span class="s">${{ github.event.pull_request.merged != </span><span class="kc">true</span><span class="s"> &amp;&amp; contains('["user1", "user2"]', github.actor) != </span><span class="kc">true</span><span class="s"> }}</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Ensure current actor is allowed to run the workflow</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">echo "Error: Your GitHub username (${{ github.actor }}) is not on the allowed list of admins for this workflow"</span> <span class="s">exit 1</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Set NodeJS</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/setup-node@v4</span> <span class="na">with</span><span class="pi">:</span> <span class="na">registry-url</span><span class="pi">:</span> <span class="s1">'</span><span class="s">https://registry.npmjs.org/'</span> <span class="na">node-version</span><span class="pi">:</span> <span class="m">20</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Install pnpm</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">pnpm/action-setup@v2</span> <span class="na">with</span><span class="pi">:</span> <span class="na">version</span><span class="pi">:</span> <span class="m">8</span> <span class="na">run_install</span><span class="pi">:</span> <span class="kc">false</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Get pnpm store directory</span> <span class="na">run</span><span class="pi">:</span> <span class="s">echo "STORE_PATH=$(pnpm store path --silent)" &gt;&gt; $GITHUB_ENV</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Setup pnpm cache</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">actions/cache@v3</span> <span class="na">with</span><span class="pi">:</span> <span class="na">path</span><span class="pi">:</span> <span class="s">${{ env.STORE_PATH }}</span> <span class="na">key</span><span class="pi">:</span> <span class="s">${{ runner.os }}-pnpm-store-${{ hashFiles('**/pnpm-lock.yaml') }}</span> <span class="na">restore-keys</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">${{ runner.os }}-pnpm-store-</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run pnpm install dependencies</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm install</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run all workspace TSC builds</span> <span class="na">run</span><span class="pi">:</span> <span class="s">pnpm build:full</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lerna Version 🏷️</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">NODE_AUTH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.NPM_TOKEN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">git config --global user.name "${{ github.actor }}"</span> <span class="s">git config --global user.email "users.noreply.github.com"</span> <span class="s">pnpm whoami</span> <span class="s">pnpm run ci:version</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">OTP</span> <span class="na">uses</span><span class="pi">:</span> <span class="s">step-security/wait-for-secrets@v1</span> <span class="na">id</span><span class="pi">:</span> <span class="s">wait-for-secrets</span> <span class="na">with</span><span class="pi">:</span> <span class="na">secrets</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">OTP:</span> <span class="s">name: 'OTP to publish package'</span> <span class="s">description: 'OTP from authenticator app'</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Lerna Publish 📦</span> <span class="na">env</span><span class="pi">:</span> <span class="na">GH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.GITHUB_TOKEN }}</span> <span class="na">NODE_AUTH_TOKEN</span><span class="pi">:</span> <span class="s">${{ secrets.NPM_TOKEN }}</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">pnpm run ci:publish --otp ${{ steps.wait-for-secrets.outputs.OTP }}</span> </code></pre> </div> <h4> Conclusion </h4> <p>With that in place, we are now successfully publishing with Provenance using Lerna-Lite which makes our toolchain much more secure. Following these steps, you should be able to do the same with your project as well. </p> <p>Also note that you can also do the exact same steps with Lerna (the actual implementation actually came from Lerna, so credit goes to them).</p> <p>For an example, you can visit one of Lerna-Lite's package, like the <a href="https://www.npmjs.com/package/@lerna-lite/cli/v/3.11.0#provenance" rel="noopener noreferrer">@lerna-lite/cli</a> package, to find the provenance badge applied on each new versions and that's it!</p> <h4> Follow-Up </h4> <p>The open source and tooling world is changing rapidly and I wrote a follow-up for this article, check it out:<br> <a href="https://dev.to/ghiscoding/oidc-trusted-publishing-with-lerna-lite-1o98">OIDC Trusted Publishing with Lerna-Lite</a></p> provenance npm publish lernalite