At the moment, I publish releases by running npm publish locally.
With my python libraries, I have a workflow that runs when I push a tag which builds the package and then uses the trusted publisher workflow to push it to PyPI using a time-limited token.
What is the best practice for doing this in NPM land these days? Can you do trusted publisher? Do you have to store an API token in GH secrets?
At the moment, I publish releases by running
npm publish
locally.With my python libraries, I have a workflow that runs when I push a tag which builds the package and then uses the trusted publisher workflow to push it to PyPI using a time-limited token.
What is the best practice for doing this in NPM land these days? Can you do trusted publisher? Do you have to store an API token in GH secrets?