Package Registries
Each target publishes to the registry for its language. This page is the at-a-glance map; follow the link in the table for step-by-step setup, including both authentication options and the exact secrets to add.
For how publishing works end to end, see Publishing.
Quick reference
| Target | Registry | Default auth | Secrets to add |
|---|---|---|---|
| TypeScript | npm | OIDC | none (OIDC) or NPM_TOKEN |
| Python | PyPI | OIDC | none (OIDC) or PYPI_API_TOKEN |
| Go | Go modules | Git tag | none |
| Rust | crates.io | OIDC | none (OIDC) or CARGO_REGISTRY_TOKEN |
| Java and Kotlin | Maven Central | Token + GPG | MAVEN_CENTRAL_USERNAME, MAVEN_CENTRAL_PASSWORD, MAVEN_GPG_PRIVATE_KEY, MAVEN_GPG_PASSPHRASE |
| C# | NuGet | OIDC | NUGET_USER (OIDC) or NUGET_API_KEY |
| Ruby | RubyGems | API key | RUBYGEMS_API_KEY |
| PHP | Packagist | Git tag | none |
| Swift | Swift Package Manager | Git tag | none |
| Dart | pub.dev | OIDC | none (OIDC) or PUB_TOKEN |
| CLI | npm / Homebrew / macOS | OIDC or token | none (npm OIDC) or NPM_TOKEN, plus HOMEBREW_TAP_TOKEN for Homebrew |
| C++ | — | — | none (built in CI, no registry) |
Two ways to authenticate
Most registries support both options. Pick one per target.
- OIDC trusted publishing (recommended where available): the
sdk-release.ymlworkflow proves its identity to the registry with a short-lived GitHub token, so there is nothing to store or rotate. You register the repository and workflow as a trusted publisher on the registry once. This is the default when you set"<registry>": true. - API token / key: you create a token on the registry and add it as a repository secret. Switch a target to this with
authMethod: "access-token". Maven Central and RubyGems only support this style; Maven Central also requires a GPG key for signing.
{
"targets": {
"typescript": {
"publish": { "npm": { "authMethod": "access-token" } }
}
}
}
Tag-served ecosystems (Go, Swift, Packagist) have no upload step and no secrets. The vX.Y.Z Git tag and GitHub Release that Scalar creates on merge are the published version.
C++
C++ has no universal package registry. The C++ target generates a CI workflow that builds with CMake but no release workflow. Distribute the build artifacts from the GitHub Release however suits your users.