Publish in CI/CD
Nx Release makes it easy to move your publishing process into your CI/CD pipeline.
Automatically Skip Publishing Locally
When running nx release, after the version updates and changelog generation, you will be prompted with the following question:
โฏ
nx release
1...
2? Do you want to publish these versions? (y/N) โบ
3To move publishing into an automated pipeline, you will want to skip publishing when running nx release locally. To do this automatically, use the --skip-publish flag:
โฏ
nx release --skip-publish
1...
2
3Skipped publishing packages.
4Use the Publish Subcommand
Nx Release provides a publishing subcommand that performs just the publishing step. Use this in your CI/CD pipeline to publish the packages.
โฏ
nx release publish
1NX Running target nx-release-publish for 3 projects:
2
3- pkg-1
4- pkg-2
5- pkg-3
6
7โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
8
9> nx run pkg-1:nx-release-publish
10
11
12๐ฆ @myorg/pkg-1@0.0.2
13=== Tarball Contents ===
14
15233B README.md
16277B package.json
1753B src/index.ts
1861B src/lib/pkg-1.ts
19=== Tarball Details ===
20name: @myorg/pkg-1
21version: 0.0.2
22filename: testorg-pkg-1-0.0.2.tgz
23package size: 531 B
24unpacked size: 624 B
25shasum: {shasum}
26integrity: {integrity}
27total files: 12
28
29Published to https://registry.npmjs.org with tag "latest"
30
31> nx run pkg-2:nx-release-publish
32
33
34๐ฆ @myorg/pkg-2@0.0.2
35=== Tarball Contents ===
36
37233B README.md
38277B package.json
3953B src/index.ts
4061B src/lib/pkg-2.ts
41=== Tarball Details ===
42name: @myorg/pkg-2
43version: 0.0.2
44filename: testorg-pkg-2-0.0.2.tgz
45package size: 531 B
46unpacked size: 624 B
47shasum: {shasum}
48integrity: {integrity}
49total files: 12
50
51Published to https://registry.npmjs.org with tag "latest"
52
53> nx run pkg-3:nx-release-publish
54
55
56๐ฆ @myorg/pkg-3@0.0.2
57=== Tarball Contents ===
58
59233B README.md
60277B package.json
6153B src/index.ts
6261B src/lib/pkg-3.ts
63=== Tarball Details ===
64name: @myorg/pkg-3
65version: 0.0.2
66filename: testorg-pkg-3-0.0.2.tgz
67package size: 531 B
68unpacked size: 624 B
69shasum: {shasum}
70integrity: {integrity}
71total files: 12
72
73Published to https://registry.npmjs.org with tag "latest"
74
75โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
76
77NX Successfully ran target nx-release-publish for 3 projects
78Publish in Github Actions
A common way to automate publishing packages is via Github Actions. An example of a publish workflow is as follows:
1# ./.github/workflows/publish.yml
2name: Publish
3
4on:
5 push:
6 tags:
7 - v*.*.*
8
9jobs:
10 test:
11 name: Publish
12 runs-on: ubuntu-latest
13 permissions:
14 contents: read
15 id-token: write # needed for provenance data generation
16 timeout-minutes: 10
17 steps:
18 - name: Checkout repository
19 uses: actions/checkout@v4
20 with:
21 fetch-depth: 0
22
23 - name: Install Node
24 uses: actions/setup-node@v4
25 with:
26 node-version: 20
27 registry-url: https://registry.npmjs.org/
28
29 - name: Install dependencies
30 run: npm install
31 shell: bash
32
33 - name: Print Environment Info
34 run: npx nx report
35 shell: bash
36
37 - name: Publish packages
38 run: npx nx release publish
39 shell: bash
40 env:
41 NODE_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
42 NPM_CONFIG_PROVENANCE: true
43This workflow will install node, install npm dependencies, then run nx release publish to publish the packages. It will run on every push to the repository that creates a tag that matches the pattern v*.*.*. A release process using this workflow is as follows:
- Run
nx release --skip-publishlocally. This will create a commit with the version and changelog updates, then create a tag for the new version. - Push the changes (including the new tag) to the remote repository with
git push && git push --tags. - The publish workflow will automatically trigger and publish the packages to the npm registry.
Configure the NODE_AUTH_TOKEN
The NODE_AUTH_TOKEN environment variable is needed to authenticate with the npm registry. In the above workflow, it is passed into the Publish packages step via a Github Secret.
Generate a NODE_AUTH_TOKEN for NPM
To generate the correct NODE_AUTH_TOKEN for the npmJS registry specifically, first login to https://www.npmjs.com/. Select your profile icon, then navigate to "Access Tokens". Generate a new Granular Access Token. Ensure that the token has read and write access to both the packages you are publishing and their organization (if applicable). Copy the generated token and add it as a secret to your Github repository.
Add the NODE_AUTH_TOKEN to Github Secrets
To add the token as a secret to your Github repository, navigate to your repository, then select "Settings" > "Secrets and Variables" > "Actions". Add a new Repository Secret with the name NPM_ACCESS_TOKEN and the value of the token you generated in the previous step.
Note: The NPM_ACCESS_TOKEN name is not important other than that it matches the usage in the workflow:
1 - name: Publish packages
2 run: npx nx release publish
3 shell: bash
4 env:
5 NODE_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
6 NPM_CONFIG_PROVENANCE: true
7NPM Provenance
To verify your packages with npm provenance, set the NPM_CONFIG_PROVENANCE environment variable to true in the step where nx release publish is performed. The workflow will also need the id-token: write permission to generate the provenance data:
1jobs:
2 test:
3 name: Publish
4 runs-on: ubuntu-latest
5 permissions:
6 contents: read
7 id-token: write # needed for provenance data generation
81- name: Publish packages
2 run: npx nx release publish
3 shell: bash
4 env:
5 NODE_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
6 NPM_CONFIG_PROVENANCE: true
7