From 60ef3f6b6abf14297ba3e2776934323adb1bf97f Mon Sep 17 00:00:00 2001
From: Pascal Klesse <54418919+pascal-klesse@users.noreply.github.com>
Date: Wed, 20 May 2026 21:29:08 +0200
Subject: [PATCH] ci: publish to npm via OIDC trusted publishing instead of
 NPM_TOKEN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

npm granular access tokens have a max expiry and the classic
non-expiring automation tokens are being deprecated, so the NPM_TOKEN
secret silently broke publishing overnight. Switch to npm Trusted
Publishing (OIDC): npm mints a short-lived, workflow-scoped token at
run time — nothing to expire or rotate.

Requires a Trusted Publisher configured on npmjs.com (repo lenneTech/cli,
workflow publish.yml). Bumps Node 20 -> 22 and upgrades npm to >= 11.5.1
(OIDC support landed in 11.5.1), adds `id-token: write`, drops the
JS-DevTools/npm-publish action + NPM_TOKEN in favour of plain
`npm publish`. Adds workflow_dispatch so a release can be re-published
without recreating the GitHub Release.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 77f2e0e..cdd2ece 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,15 @@ on:
   release:
     types:
       - released
+  workflow_dispatch:
+
+# Trusted Publishing (OIDC): npm mints a short-lived, workflow-scoped token
+# at run time — no long-lived NPM_TOKEN secret to expire or rotate.
+# Requires a Trusted Publisher configured on npmjs.com for this repo +
+# workflow filename, npm >= 11.5.1, and Node >= 22.14.0.
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
   publish:
@@ -11,15 +20,16 @@ jobs:
     steps:
       - name: Git checkout
         uses: actions/checkout@v4
-      - name: Node 20
+      - name: Node 22
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
+          registry-url: https://registry.npmjs.org
+      - name: Upgrade npm for OIDC trusted publishing
+        run: npm install -g npm@latest
       - name: NPM install
         run: npm install
       - name: Build
         run: npm run build
       - name: Publish
-        uses: JS-DevTools/npm-publish@v3
-        with:
-          token: ${{ secrets.NPM_TOKEN }}
+        run: npm publish