From 738fb48a1deb812eb4c1694e8257b3669dc1fa41 Mon Sep 17 00:00:00 2001
From: Brian Love <brian@liveloveapp.com>
Date: Thu, 30 Apr 2026 17:52:49 -0700
Subject: [PATCH] chore(workflow): switch to npm trusted publishing; drop
 NPM_TOKEN env
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Trusted publishing has been configured per-package on npm (manual web
UI step, completed). The OIDC token from 'permissions.id-token: write'
authenticates this workflow as a trusted publisher for each @ngaf/*
package — no token needed in env.

After two consecutive successful trusted-publish releases, you can:
- gh secret delete NPM_TOKEN  (remove the unused secret from this repo)
- Revoke the local token via npm settings

Provenance attestations continue to be generated automatically via
NPM_CONFIG_PROVENANCE='true'.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 62733e297..eef1883eb 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write  # for npm provenance
+      id-token: write  # required for npm trusted publishing + provenance
     env:
       NPM_PUBLISHABLE_PROJECTS: chat,langgraph,ag-ui,render,a2ui,partial-json,licensing
     steps:
@@ -32,15 +32,17 @@ jobs:
       - name: Lint, test, build publishable projects
         run: npx nx run-many -t lint,test,build --projects=$NPM_PUBLISHABLE_PROJECTS --skip-nx-cache
 
+      # Trusted publishing is configured per-package on npm; no NPM_TOKEN needed.
+      # The OIDC token from id-token: write authenticates this workflow as a
+      # trusted publisher for each @ngaf/* package. Provenance attestations are
+      # generated automatically.
+
       - name: Publish to npm
         if: github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && inputs.dry-run == false)
         run: npx nx release publish --groups=publishable
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: 'true'
 
       - name: Publish to npm (dry run)
         if: github.event_name == 'workflow_dispatch' && inputs.dry-run == true
         run: npx nx release publish --groups=publishable --dry-run
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}