Can't publish to npmjs using Yarn in GH Actions with OIDC

[Arad1el]

Body

I have a package on npmjs.com, and am trying to publish a security update.
I'm trying to set up publishing to use OIDC, but am having some teething issues that I am looking for help with

On npmjs.com I've set up the Trusted Publisher settings to be GitHub Actions, arad1el/[my-repo-name], and the workflow name is the filename (npm-publish.yml)

I adapted my previous workflow file to closer match npm's example - the key difference is that I use yarn rather than npm

`name: Publish to npmjs

on:
release:
types: [created]

jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 24
registry-url: https://registry.npmjs.org/
- run: yarn install --frozen-lockfile
- run: yarn build
#- run: yarn test
- run: yarn publish --provenance`

The workflow falls over when it gets to the "yarn publish --provenance" command saying that it "error Couldn't publish package: "https://registry.npmjs.org/[package-name]: Not found"

The package definitely exists, so it must be something to do with my setup.

How can I properly configure this?

Guidelines

• I have read and understood this category's guidelines before making this post.

[Sudip-329]

Full Example Workflow
name: Publish to npmjs

on:
release:
types: [created]

jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
packages: write
steps:
- uses: actions/checkout@v4

  - uses: actions/setup-node@v4
    with:
      node-version: 24
      registry-url: 'https://registry.npmjs.org'
      scope: '@your-scope'
      always-auth: true

  - run: yarn install --frozen-lockfile
  - run: yarn build
  - run: yarn publish --provenance

[shivrajcodez]

The error:

Couldn't publish package: https://registry.npmjs.org/[package-name]: Not found

usually means this is an authentication issue, not that the package actually doesn’t exist.

When using OIDC Trusted Publishing, you should not rely on traditional auth tokens — but you still need to make sure your workflow and npm config are aligned properly.

A few things to check:

1. Make sure the package name matches exactly

In package.json:

The name must match the one on npm (including scope, if any).

If it’s scoped (e.g. @user/package), ensure the scope matches what’s published.

Even a small mismatch will cause a 404.

2. Ensure setup-node is correctly configuring npm auth

With OIDC, you don’t need NODE_AUTH_TOKEN, but you must:

• uses: actions/setup-node@v4
  with:
  node-version: 24
  registry-url: https://registry.npmjs.org/

You already have this — that’s good.

But make sure:

The workflow filename exactly matches what you configured in npm Trusted Publisher.

The repo name in npm settings matches exactly (arad1el/[my-repo-name]).

OIDC is very strict about exact matches.

3. If this is a scoped package

If your package is scoped, add this to package.json:

"publishConfig": {
"access": "public"
}

Otherwise npm may reject the publish attempt.

4. Yarn + Provenance

--provenance relies on npm CLI under the hood. Sometimes Yarn doesn’t fully align with npm’s OIDC flow.

If everything else looks correct, try temporarily replacing:

yarn publish --provenance

with:

npm publish --provenance

after running yarn build.

If that works, the issue is Yarn’s publish handling with OIDC.

5. Confirm the release trigger

Your workflow runs on:

on:
release:
types: [created]

Make sure you're creating a GitHub Release (not just pushing a tag). OIDC validation checks the workflow context carefully.

[MHassan-Tariq]

This is a common "teething issue" with the transition to OIDC (Trusted Publishing) on npm, specifically when using Yarn v1 (Classic). The "Not Found" error is actually a misleading response from the npm registry when authentication fails—in this case, because Yarn v1 does not natively support the OIDC/Provenance handshake required by the new Trusted Publisher flow.

Here is the professional breakdown and the fix to get your security update published.

1. The Root Cause: Yarn v1 vs. OIDC
   The yarn publish command in Yarn v1 (Classic) is built on an older architecture that doesn't know how to exchange a GitHub OIDC token for an npm session. When you run yarn publish --provenance, it fails to provide the correct credentials, and the npm registry returns a 404 Not Found (effectively saying, "I don't know who you are, so I can't find a permission set for this package").

2. The Recommended Fix: Use the npm CLI for the final step
   The most stable way to use Trusted Publishing while keeping your project in Yarn is to use Yarn for building and the npm CLI for the actual publishing step. The npm CLI (v9.5.0+) is the official tool for OIDC/Provenance.

Update your npm-publish.yml to this structure:

YAML
name: Publish to npmjs
on:
release:
types: [created]

jobs:
build:
runs-on: ubuntu-latest
permissions:
id-token: write # Required for OIDC
contents: read
# packages: write # Only needed if publishing to GitHub Packages; npm only needs id-token
steps:
- uses: actions/checkout@v4

  - uses: actions/setup-node@v4
    with:
      node-version: 24 # Good choice, includes npm v11+
      registry-url: 'https://registry.npmjs.org/'

  - name: Install dependencies
    run: yarn install --frozen-lockfile

  - name: Build package
    run: yarn build

  - name: Publish to npm via OIDC
    # We use npm here because it natively handles the OIDC token exchange
    run: npm publish --provenance --access public
    env:
      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} # NOT REQUIRED with OIDC, leave this out!

3. Critical Checklist for Trusted Publishing
   If you still see errors after switching to npm publish, check these three "invisible" settings:

Case Sensitivity: In your npmjs.com Trusted Publisher settings, the Organization/User and Repository names must match the casing in your GitHub URL exactly (e.g., Arad1el vs arad1el).

Workflow Filename: Ensure the filename in the npm settings is exactly npm-publish.yml. Even a capital letter or a missing .yml extension will cause the OIDC handshake to fail.

Package.json Repository: Ensure your package.json has a repository field that matches the repo you are publishing from:

JSON
"repository": {
"type": "git",
"url": "https://github.com/arad1el/your-repo-name.git"
}
Why not use Yarn Berry (v2+)?
If you were on Yarn Berry (v4), it does support OIDC via the npmPublish plugin. However, for a quick security update on a Yarn v1 project, switching the final command to npm publish is the fastest and least disruptive path.

[Arad1el]

Thank you @MHassan-Tariq and @shivrajcodez for your explanations - I'm marking @MHassan-Tariq as the answer since it covered the same ground but also highlighted a small change in package.json which might have made the difference.

It seems to be fully working now

[shivrajcodez]

most welcome!