packages/ and the modules under modules/ that other projects install. Talos drives the whole flow from the CLI — save a token once, then let npm:publish pack each target, resolve its workspace dependencies to real version ranges, and push it to the registry. Versions already on npm are skipped, so re-running never double-publishes.
The guiding principle is version in git, publish from git. release:create bumps versions, writes changelogs, and tags from your conventional commits; npm:publish takes those tagged versions to the registry. The two compose into a single command when you pass --publish.
What gets published
Every directory underpackages/ and modules/ is a candidate. Each must carry a package.json whose name and version define the published artifact.
| Source | Location | Typical use |
|---|---|---|
| Packages | packages/<name>/ | Framework-agnostic libraries (@talosjs/logger, @talosjs/command, …). |
| Modules | modules/<name>/ | Business-domain modules published for reuse across services. |
npm:publish publishes the package’s dist/ as-is. Build your artifacts
(so dist/ is current) before publishing — the command packs what is on
disk; it does not run your build.Step 1 — Save an npm token
Publishing authenticates with an npm Granular Access Token. Save it once withnpm:credentials:create; it is written as block-style YAML to ~/.talos/credentials/npm.yml under the default profile and reused by every publish.
Step 2 — Publish
With a token saved, publish everything in the workspace:Options
| Option | Description | Default |
|---|---|---|
--packages | Comma-separated package names to publish (under packages/). | All packages and modules |
--modules | Comma-separated module names to publish (under modules/). | All packages and modules |
--access | npm access level: public or restricted. | public |
--silent | Suppress log output and the publishing spinner (use in CI). | false |
What the command does per target
For each resolved target,npm:publish:
- Checks the registry for the target’s
name@version. If that version already exists, it is reported as ignored and skipped — this is what makes re-runs safe. - Packs with
bun pm packintodist/, soworkspace:*dependencies resolve to real published version ranges instead of workspace protocols. - Extracts the tarball into
dist/publish, stripping npm’spackage/prefix so the resolvedpackage.jsonlands at the root. - Publishes with
npm publish --access <access>fromdist/publish, authenticating with your saved token. (npm, notbun publish, is used deliberately — it avoids the interactive web-OTP flow.) - Cleans up the tarball and
dist/publishafterward, so nothing leaks into the next packed artifact.
N published, M ignored.
Because publishing packs with
bun but publishes with npm, both must be on
PATH. A version whose name@version is already on the registry is never
re-published, so bumping the version (Step 3) is what makes a new publish
happen.Step 3 — Version and publish together
You rarely publish a hand-edited version. Instead letrelease:create derive the next version from your conventional commits — a breaking change bumps major, a feat bumps minor, anything else patches — then write the changelog, commit, and tag. Passing --publish hands the freshly released targets straight to npm:publish:
- Verifies the working tree is clean (aborts otherwise).
- For each package/module with unreleased commits, bumps its version, updates
CHANGELOG.md, commits, and creates an annotated git tag. - Prompts to push commits and tags to the remote (also refreshes and commits
bun.lock). - Publishes only the targets it released this run to npm.
Publish from CI
The same two commands run unattended. Provide the token from a secret and add--silent to keep logs clean:
- GitHub Actions
- Generic CI
.github/workflows/publish.yml
Checklist
- Save the npm token once with
npm:credentials:create(or inject it via--tokenin CI). - Build so each target’s
dist/is current before publishing. - Let
release:createderive versions from conventional commits — don’t hand-edit them. - Use
release:create --publishfor the normal flow; reserve barenpm:publishfor retries. - Pass
--access=restrictedfor private scoped packages. - In CI, add
--silentand pull the token from a secret store — never commitnpm.yml.
Related
- npm:publish — the publish command and all its options.
- npm:credentials:create — save the Granular Access Token.
- release:create — version, changelog, and tag from conventional commits.
- Deploy an API — ship the app module as a container instead of a library.
- Monorepo — how packages and modules are laid out.