From c6cfd68cdaa671153eff09547d41a063fc40b6bb Mon Sep 17 00:00:00 2001
From: Jorge Vidaurre <jorge@agents-squads.com>
Date: Fri, 24 Apr 2026 10:25:15 -0400
Subject: [PATCH] fix(ci): migrate publish workflows to OIDC trusted publishing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Both publish.yml (manual) and release.yml (tag-triggered) passed
NODE_AUTH_TOKEN: \${{ secrets.NPM_TOKEN }} to npm publish, which npm
prefers over OIDC. With a stale NPM_TOKEN, publishes failed 404 and
OIDC was never attempted.

Changes:
- Remove NODE_AUTH_TOKEN from both publish steps — npm falls back to OIDC
  via the trusted publisher already configured on npmjs.com
- Upgrade Node to 22 and install npm@latest so npm >= 11.5.1 is used
  (required for OIDC trusted publisher authentication)
- publish.yml: detect pre-release dist-tag from package.json version
  (matches release.yml behavior) so rc versions go to @next, not @latest

Closes #754
---
 .github/workflows/publish.yml | 24 ++++++++++++++++++++----
 .github/workflows/release.yml | 10 +++++++---
 2 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a5c5def9..3d6c5a9a 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -62,13 +62,29 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
+      # Upgrade npm to a version that supports OIDC trusted publishing (>= 11.5.1)
+      - name: Upgrade npm for OIDC trusted publishing
+        run: npm install -g npm@latest
+
       - run: npm ci
 
       - run: npm run build
 
-      - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - name: Determine npm dist-tag from package.json
+        id: dist_tag
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          if [[ "$VERSION" == *-* ]]; then
+            echo "npm_tag=next" >> "$GITHUB_OUTPUT"
+            echo "Publishing pre-release $VERSION to @next"
+          else
+            echo "npm_tag=latest" >> "$GITHUB_OUTPUT"
+            echo "Publishing $VERSION to @latest"
+          fi
+
+      # Authentication via OIDC trusted publisher (configured on npmjs.com).
+      # No NPM_TOKEN needed.
+      - run: npm publish --provenance --access public --tag ${{ steps.dist_tag.outputs.npm_tag }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 739761bf..3daa51d1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -69,10 +69,14 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
           registry-url: 'https://registry.npmjs.org'
 
+      # Upgrade npm to a version that supports OIDC trusted publishing (>= 11.5.1)
+      - name: Upgrade npm for OIDC trusted publishing
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: npm ci
 
@@ -93,10 +97,10 @@ jobs:
             echo "Publishing $TAG to @latest"
           fi
 
+      # Authentication via OIDC trusted publisher (configured on npmjs.com).
+      # No NPM_TOKEN needed.
       - name: Publish to npm
         run: npm publish --provenance --access public --tag ${{ steps.dist_tag.outputs.npm_tag }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
         uses: softprops/action-gh-release@v1