diff --git a/lib/publish.js b/lib/publish.js
index 7ffd425c4038b..190d381a8aeeb 100644
--- a/lib/publish.js
+++ b/lib/publish.js
@@ -72,24 +72,12 @@ const publish_ = async (arg, opts) => {
   // you can publish name@version, ./foo.tgz, etc.
   // even though the default is the 'file:.' cwd.
   const spec = npa(arg)
-  const manifest = await getManifest(spec, opts)
+
+  let manifest = await getManifest(spec, opts)
 
   if (manifest.publishConfig)
     Object.assign(opts, publishConfigToOpts(manifest.publishConfig))
 
-  const resolved = npa.resolve(manifest.name, manifest.version)
-  const registry = npmFetch.pickRegistry(resolved, opts)
-
-  console.log(`picked registry ${registry}`)
-  if (!dryRun) {
-    const creds = npm.config.getCredentialsByURI(registry)
-    if (!creds.token && !creds.username) {
-      throw Object.assign(new Error('This command requires you to be logged in.'), {
-        code: 'ENEEDAUTH',
-      })
-    }
-  }
-
   // only run scripts for directory type publishes
   if (spec.type === 'directory') {
     await runScript({
@@ -103,18 +91,27 @@ const publish_ = async (arg, opts) => {
   const tarballData = await pack(spec, opts)
   const pkgContents = await getContents(manifest, tarballData)
 
+  // The purpose of re-reading the manifest is in case it changed,
+  // so that we send the latest and greatest thing to the registry
+  // note that publishConfig might have changed as well!
+  manifest = await getManifest(spec, opts)
+  if (manifest.publishConfig)
+    Object.assign(opts, publishConfigToOpts(manifest.publishConfig))
+
   // note that logTar calls npmlog.notice(), so if we ARE in silent mode,
   // this will do nothing, but we still want it in the debuglog if it fails.
   if (!json)
     logTar(pkgContents, { log, unicode })
 
   if (!dryRun) {
-    // The purpose of re-reading the manifest is in case it changed,
-    // so that we send the latest and greatest thing to the registry
-    // note that publishConfig might have changed as well!
-    const manifest = await getManifest(spec, opts)
-    if (manifest.publishConfig)
-      Object.assign(opts, publishConfigToOpts(manifest.publishConfig))
+    const resolved = npa.resolve(manifest.name, manifest.version)
+    const registry = npmFetch.pickRegistry(resolved, opts)
+    const creds = npm.config.getCredentialsByURI(registry)
+    if (!creds.token && !creds.username) {
+      throw Object.assign(new Error('This command requires you to be logged in.'), {
+        code: 'ENEEDAUTH',
+      })
+    }
     await otplease(opts, opts => libpub(manifest, tarballData, opts))
   }
 
diff --git a/test/lib/publish.js b/test/lib/publish.js
index adc72d6075046..6904de1ed6558 100644
--- a/test/lib/publish.js
+++ b/test/lib/publish.js
@@ -27,12 +27,20 @@ const config = {
   },
 }
 
+const registryCredentials = (t, registry) => {
+  return (uri) => {
+    t.same(uri, registry, 'gets credentials for expected registry')
+    return credentials[uri]
+  }
+}
+
 const fs = require('fs')
 
 t.test('should publish with libnpmpublish, respecting publishConfig', (t) => {
-  t.plan(5)
+  t.plan(6)
 
-  const publishConfig = { registry: 'https://some.registry' }
+  const registry = 'https://some.registry'
+  const publishConfig = { registry }
   const testDir = t.testdir({
     'package.json': JSON.stringify({
       name: 'my-cool-pkg',
@@ -46,9 +54,12 @@ t.test('should publish with libnpmpublish, respecting publishConfig', (t) => {
       flatOptions: {
         json: true,
         defaultTag: 'latest',
-        registry: 'https://registry.npmjs.org',
+        registry,
+      },
+      config: {
+        ...config,
+        getCredentialsByURI: registryCredentials(t, registry),
       },
-      config,
     },
     '../../lib/utils/tar.js': {
       getContents: () => ({
@@ -87,8 +98,9 @@ t.test('should publish with libnpmpublish, respecting publishConfig', (t) => {
 })
 
 t.test('re-loads publishConfig if added during script process', (t) => {
-  t.plan(5)
-  const publishConfig = { registry: 'https://some.registry' }
+  t.plan(6)
+  const registry = 'https://some.registry'
+  const publishConfig = { registry }
   const testDir = t.testdir({
     'package.json': JSON.stringify({
       name: 'my-cool-pkg',
@@ -103,7 +115,10 @@ t.test('re-loads publishConfig if added during script process', (t) => {
         defaultTag: 'latest',
         registry: 'https://registry.npmjs.org/',
       },
-      config,
+      config: {
+        ...config,
+        getCredentialsByURI: registryCredentials(t, registry),
+      },
     },
     '../../lib/utils/tar.js': {
       getContents: () => ({
@@ -128,7 +143,7 @@ t.test('re-loads publishConfig if added during script process', (t) => {
         t.match(manifest, { name: 'my-cool-pkg', version: '1.0.0' }, 'gets manifest')
         t.isa(tarData, Buffer, 'tarData is a buffer')
         t.ok(opts, 'gets opts object')
-        t.same(opts.registry, publishConfig.registry, 'publishConfig is passed through')
+        t.same(opts.registry, registry, 'publishConfig is passed through')
       },
     },
   })
@@ -417,10 +432,7 @@ t.test('should check auth for scope specific registry', t => {
       },
       config: {
         ...config,
-        getCredentialsByURI: (uri) => {
-          t.same(uri, registry, 'gets credentials for scope specific registry')
-          return credentials[uri]
-        },
+        getCredentialsByURI: registryCredentials(t, registry),
       },
     },
     '../../lib/utils/tar.js': {