npm checkmark

You can get a verified checkmark on your npm package if you build and publish it from GitHub Actions.

Using trusted publishing

In July 2025, npm trusted publishing became generally available, and is now the preferred way to publish a verified package to npm.

Docshttps://docs.npmjs.com/trusted-publishers

Using package provenance

Outdated 2025

The preferred way to publish a verified package to npm now is to use trusted publishing.

In package.json, make sure repository.url is set to your repository’s URL.

  "repository": {
    "url": "git+https://github.com/dtinth/-.-"
  }

Update your GitHub Actions workflow job.

Make sure it has the id-token: write permission.
Set environment variable NPM_CONFIG_PROVENANCE=true.

jobs:
  release:
    name: Release
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: write
      packages: write
      pull-requests: write
      issues: read
    env:
      NPM_CONFIG_PROVENANCE: true

npm checkmark

Using trusted publishing

Using package provenance

Further reading