CI/CD Integrations

LPM supports multiple authentication methods for CI/CD:

Method	Setup	Security	Supported by
OIDC (recommended)	No secrets to manage	Tokens expire in 30 min	GitHub Actions, GitLab CI
LPM_TOKEN	Set a secret in CI settings	Token until revoked	Any CI platform
GitHub Action	One-liner `uses: lpm-dev/install@v1`	OIDC by default	GitHub Actions

1. Secret-Free Installs with OIDC (recommended)

Use lpm setup --oidc to install LPM packages without storing any secrets. The CI provider proves its identity via OIDC, and LPM issues a 30-minute read-only token automatically.

Prerequisites:

Your GitHub or GitLab account must be linked to your LPM account at Settings > Security
The workflow must have id-token: write permission

GitHub Actions

name: Build
on: push

permissions:
  id-token: write
  contents: read

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 22

      - name: Configure LPM registry (OIDC)
        run: npx @lpm-registry/cli setup --oidc

      - name: Install dependencies
        run: npm install

      - name: Build
        run: npm run build

No LPM_TOKEN secret needed. The OIDC token exchange happens automatically during lpm setup --oidc.

GitLab CI

build:
  stage: build
  image: node:22
  id_tokens:
    LPM_GITLAB_OIDC_TOKEN:
      aud: https://lpm.dev
  script:
    - npx @lpm-registry/cli setup --oidc
    - npm install
    - npm run build

GitLab (15.7+) injects the signed JWT directly as the LPM_GITLAB_OIDC_TOKEN environment variable.

How OIDC install works

CI provider generates a signed identity token (JWT)
lpm setup --oidc detects the CI environment and requests this token
LPM verifies the JWT signature and matches the CI user to a linked LPM account
LPM issues a 30-minute read-only token
The token is written to .npmrc — npm install works immediately

If OIDC exchange fails (wrong setup, unlinked account), the command falls back to the ${LPM_TOKEN} placeholder with a warning.

2. Secret-Free Publishing with Trusted Publishers

For publishing via OIDC, you need a Trusted Publisher configuration (more restrictive than install, since publishing modifies packages).

Step 1 — Add a trusted publisher in the dashboard

Open your package in the LPM dashboard
Go to the Trusted Publishers tab
Click Add Trusted Publisher
Select GitHub Actions or GitLab CI
Fill in repository owner, repository name, workflow/config file, and optional environment
Save

The repository, workflow filename, and environment (if set) must match exactly what the CI pipeline sends.

Step 2 — Add the workflow

GitHub Actions — .github/workflows/publish.yml:

name: Publish to LPM
on:
  push:
    tags:
      - 'v*'

permissions:
  id-token: write
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 22

      - run: npm ci

      - run: npx lpm publish
        env:
          LPM_PACKAGE: "@lpm.dev/your-username.your-package"

GitLab CI — .gitlab-ci.yml:

publish:
  stage: publish
  image: node:22
  id_tokens:
    LPM_GITLAB_OIDC_TOKEN:
      aud: https://lpm.dev
  script:
    - npm ci
    - LPM_PACKAGE="@lpm.dev/your-username.your-package" npx lpm publish
  rules:
    - if: '$CI_COMMIT_TAG =~ /^v/'

OIDC install + publish in one workflow

You can combine both in a single workflow — OIDC handles both the install and publish steps:

name: CI + Publish
on:
  push:
    tags:
      - 'v*'

permissions:
  id-token: write
  contents: read

jobs:
  publish:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: actions/setup-node@v4
        with:
          node-version: 22

      - name: Configure LPM registry (OIDC)
        run: npx @lpm-registry/cli setup --oidc

      - run: npm ci

      - run: npm test

      - run: npx lpm publish
        env:
          LPM_PACKAGE: "@lpm.dev/your-username.your-package"

Bitbucket Pipelines uses token-based authentication with the LPM_TOKEN environment variable. OIDC is not currently available for Bitbucket because Bitbucket's OIDC tokens do not include user identity claims needed for authentication.

Bitbucket's OIDC implementation is designed for cloud provider authentication (AWS, GCP) and does not yet support package registry workflows. This is a known limitation — we'll add OIDC support when Bitbucket adds the necessary claims. In the meantime, LPM_TOKEN works reliably.

Install packages

pipelines:
  default:
    - step:
        name: Build
        image: node:22
        script:
          - npx @lpm-registry/cli setup
          - npm ci
          - npm run build
          - npm test

Add LPM_TOKEN as a repository variable under Repository settings > Pipelines > Repository variables.

Publish packages

pipelines:
  tags:
    'v*':
      - step:
          name: Publish
          image: node:22
          script:
            - npx @lpm-registry/cli setup
            - npm ci
            - npx lpm publish

Install + publish

definitions:
  steps:
    - step: &build
        name: Build & Test
        image: node:22
        script:
          - npx @lpm-registry/cli setup
          - npm ci
          - npm run build
          - npm test

pipelines:
  default:
    - step: *build
  tags:
    'v*':
      - step: *build
      - step:
          name: Publish
          image: node:22
          script:
            - npx @lpm-registry/cli setup
            - npm ci
            - npx lpm publish

4. Token-Based Authentication (any platform)

For CI platforms without OIDC support, or deployment platforms like Vercel and Netlify, use the LPM_TOKEN environment variable.

GitHub Actions (with token)

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 22
      - run: npx @lpm-registry/cli setup
      - run: npm ci
        env:
          LPM_TOKEN: ${{ secrets.LPM_TOKEN }}

Add LPM_TOKEN under Settings > Secrets and variables > Actions.

GitLab CI (with token)

build:
  stage: build
  image: node:22
  script:
    - npx @lpm-registry/cli setup
    - npm ci
    - npm run build
  variables:
    LPM_TOKEN: $LPM_TOKEN

Add LPM_TOKEN under Settings > CI/CD > Variables.

5. Version Management

Before triggering a publish workflow, bump the version in package.json. Two common approaches:

Manual tagging:

npm version patch   # or minor / major
git push --tags

npm version updates package.json, commits the bump, and creates a vX.Y.Z git tag in one step. The push --tags triggers the workflow.

Automated with Changesets or Release Please:

Changesets — popular for monorepos; contributors add changeset files, a release PR aggregates them
Release Please — Google's GitHub Action for automated versioning from Conventional Commits

6. Verifying a Publish

After your first OIDC publish:

Open your package in the LPM dashboard > Trusted Publishers tab
Scroll to Recent CI Publishes — each row shows the version, repository, commit SHA, workflow file, and publish date
On the public package page, the Versions tab shows provenance metadata (repository, workflow, commit) next to each version published via OIDC

7. Validating Before Publishing

Run lpm publish --dry-run locally or in CI to verify your setup before the real publish:

npx lpm publish --dry-run

This builds the tarball, runs quality checks, and prints a summary — including OIDC detection status — without uploading anything.