Publish to npm via OIDC trusted publishing (#148)

gaojude · web-flow · commit 95794e09857b · 2026-06-24T18:47:17.000-04:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -21,17 +21,22 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'pnpm'
           registry-url: 'https://registry.npmjs.org'
 
+      # Trusted publishing (OIDC) needs npm >= 11.5.1; the version bundled with
+      # Node does not satisfy this yet.
+      - name: Update npm for trusted publishing
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
       - name: Build package
         run: pnpm run build
 
+      # Authenticates via OIDC against the npm trusted publisher configured for
+      # this repo + workflow — no NPM_TOKEN needed. Provenance is automatic.
       - name: Publish to npm
-        run: pnpm publish --access public --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }}
+        run: npm publish --access public
