From 42b3c078099b4482fbf7ff36b1629fabf4fa3dce Mon Sep 17 00:00:00 2001
From: Ray Walker <ray@27b.io>
Date: Sun, 17 May 2026 11:11:25 +1000
Subject: [PATCH] ci: switch npm publish to OIDC trusted publishing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Removes the long-lived NPM_TOKEN secret from the release pipeline.
Every publish now authenticates via short-lived OIDC tokens minted
by GitHub Actions and validated by npm against a registered trusted
publisher config.

Changes:
- release-please.yml publish-cachekit: drop the .npmrc shim and the
  NODE_AUTH_TOKEN env; use npm publish (not pnpm) so we use the npm
  CLI's native OIDC handling
- build-native.yml publish (platform + main): same — drop env tokens,
  use npm publish with --provenance and (for main pkg) --ignore-scripts
- Both jobs upgrade npm to latest before publish; Node 22 ships
  npm 10.9 which predates OIDC trusted publishing (needs >= 11.5.1)

id-token: write was already granted in both publish jobs; no
permission delta. The provenance attestation that npm publish emits
remains the SLSA L2 statement consumers already see.

ONE-TIME npm side setup required before merge — see PR description.
---
 .github/workflows/build-native.yml   | 13 +++++++------
 .github/workflows/release-please.yml | 14 ++++++--------
 2 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/build-native.yml b/.github/workflows/build-native.yml
index 9061d82..6d0fa2f 100644
--- a/.github/workflows/build-native.yml
+++ b/.github/workflows/build-native.yml
@@ -170,19 +170,20 @@ jobs:
         working-directory: packages/cachekit-core-ts
         run: ls -la npm/*/
 
-      - name: Publish platform packages
+      # npm Trusted Publishing (OIDC) requires npm >= 11.5.1.
+      # Node 22 ships an older npm; upgrade in-place for the publish steps.
+      - name: Upgrade npm for OIDC
+        run: npm install -g npm@latest
+
+      - name: Publish platform packages (OIDC trusted publisher)
         working-directory: packages/cachekit-core-ts
         run: |
           find npm -mindepth 1 -maxdepth 1 -type d -exec npm publish {} --access public --provenance \;
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Prepare main package
         working-directory: packages/cachekit-core-ts
         run: npx napi prepublish -t npm --skip-gh-release
 
-      - name: Publish main package
+      - name: Publish main package (OIDC trusted publisher)
         working-directory: packages/cachekit-core-ts
         run: npm publish --access public --provenance --ignore-scripts
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 6367319..fbf4293 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -79,13 +79,11 @@ jobs:
       - name: Test
         run: pnpm test
 
-      - name: Configure npm auth
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      # npm Trusted Publishing (OIDC) requires npm >= 11.5.1.
+      # Node 22 ships an older npm; upgrade in-place for the publish step.
+      - name: Upgrade npm for OIDC
+        run: npm install -g npm@latest
 
-      - name: Publish to npm
+      - name: Publish to npm (OIDC trusted publisher)
         working-directory: packages/cachekit
-        run: pnpm publish --access public --provenance --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance