Migrate npm OIDC (#230)

* refactor: migrate to OIDC for npm package publishing

Replace token-based authentication with OpenID Connect (OIDC) for enhanced security:
- Remove NPM_TOKEN from changesets action environment
- Enable automatic provenance generation (NPM_CONFIG_PROVENANCE)
- Set NODE_AUTH_TOKEN to empty string to force OIDC authentication
- Keep diagnostic step for troubleshooting auth issues

This requires configuring npm Trusted Publisher on npmjs.com for the repository.

* refactor: restructure publish workflow to support OIDC properly

Split changesets/action into versioning-only step and separate publish step
to avoid .npmrc token mutation that would block OIDC. This ensures npm uses
Trusted Publisher authentication instead of legacy token-based auth.

Key changes:
- changesets/action now only runs version step (no publish input)
- Added OIDC preflight step to scrub any auth tokens from .npmrc before publishing
- Separated publish into dedicated step with pnpm changeset-publish
- Added post-mortem diagnostics for troubleshooting publish failures

The id-token: write permission remains enabled for OIDC token generation.
Registry setup and package.json publish script already include provenance.

* fix: harden OIDC workflow with publish gate and comprehensive preflight

Address three critical risks identified during code review:

1. Gate publish step to run only when no changesets exist
   - Prevents wasteful runs and log noise when version PR is created
   - Ensures publish only runs on merge commits (when hasChangesets == 'false')
   - .github/workflows/publish.yaml:74

2. Harden preflight to scrub all .npmrc locations and auth forms
   - Iterate over all potential locations: NPM_CONFIG_USERCONFIG, ~/.npmrc, .npmrc
   - Remove both registry-scoped (_authToken, _auth=) and global (always-auth) forms
   - Prevents stray .npmrc from blocking OIDC authentication
   - .github/workflows/publish.yaml:45-52

3. Make whoami check robust with exit code instead of grep
   - Check npm whoami exit code (0 = logged in, non-zero = not logged in)
   - Avoids reliance on fragile message matching across npm versions
   - Verify registry config (including @openrouter scope)
   - .github/workflows/publish.yaml:62-71

4. Enhance post-mortem diagnostics
   - Log registry configuration for both global and @openrouter scope
   - Redact .npmrc contents to aid forensics without exposing secrets
   - Check all three potential .npmrc locations
   - .github/workflows/publish.yaml:92-101

With these changes, the workflow is hardened against OIDC authentication failures.

* refine: use extended regex patterns for comprehensive .npmrc token scrubbing

Improve sed patterns to handle edge cases in token removal:
- Registry-scoped tokens: Allow optional whitespace around = sign
  sed -i -E '/\/\/registry\.npmjs\.org\/:(_authToken|_auth)\s*=/d'
- Global tokens: Match _authToken or _auth anywhere on a line with leading whitespace
  sed -i -E '/^\s*(_authToken|_auth)\s*=/d'
- Global always-auth: Case-insensitive with optional spacing
  sed -i -E '/^\s*[Aa]lways-[Aa]uth\s*=/d'

This closes the gap where npm could treat whitespace-padded or variant token
lines as a signal to use legacy token auth instead of OIDC. Extended regex (-E)
enables more flexible matching without sacrificing readability.

Addresses edge case identified during workflow review.

Author: subtleGradient

.github/workflows/publish.yaml

@@ -29,47 +29,77 @@ jobs:
           cache: pnpm
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
-      - name: Diagnose npm authentication
+      - name: Create Release Pull Request or Publish
+        id: changesets
+        uses: changesets/action@v1
+        with:
+          version: pnpm changeset-version
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: OIDC preflight - scrub .npmrc and verify registry
         run: |
-          echo "=== NPM Authentication Diagnostics ==="
-          echo "Node version: $(node --version)"
-          echo "npm version: $(npm --version)"
-          echo "pnpm version: $(pnpm --version)"
-          echo ""
-          echo "=== Environment Variables ==="
-          echo "NPM_TOKEN set: ${NPM_TOKEN:+yes (length ${#NPM_TOKEN})}"
-          echo "NODE_AUTH_TOKEN set: ${NODE_AUTH_TOKEN:+yes (length ${#NODE_AUTH_TOKEN})}"
-          echo "NPM_CONFIG_USERCONFIG: $NPM_CONFIG_USERCONFIG"
-          echo ""
-          echo "=== npm config ==="
-          npm config list --json | jq '.registry, .["@openrouter:registry"], .["@openrouter/registry"]' || npm config list
-          echo ""
-          echo "=== .npmrc files ==="
-          for rc in ~/.npmrc "$NPM_CONFIG_USERCONFIG" .npmrc; do
-            if [ -f "$rc" ]; then
-              echo "Found: $rc"
-              wc -l "$rc"
+          echo "=== OIDC Preflight ==="
+          
+          # Remove auth tokens from all potential .npmrc locations to ensure OIDC is used
+          for npmrc in "$NPM_CONFIG_USERCONFIG" ~/.npmrc .npmrc; do
+            if [ -n "$npmrc" ] && [ -f "$npmrc" ]; then
+              echo "Cleaning $npmrc of any existing auth tokens..."
+              # Remove registry-scoped tokens (allow optional whitespace around =)
+              sed -i -E '/\/\/registry\.npmjs\.org\/:(_authToken|_auth)\s*=/d' "$npmrc"
+              # Remove global tokens in any form
+              sed -i -E '/^\s*(_authToken|_auth)\s*=/d' "$npmrc"
+              # Remove global always-auth (case-insensitive, allow spacing)
+              sed -i -E '/^\s*[Aa]lways-[Aa]uth\s*=/d' "$npmrc"
             fi
           done
+          
+          # Verify npm connectivity
+          echo "Testing npm registry connectivity..."
+          npm ping || exit 1
+          
+          # Verify no token is active (should fail for OIDC to work)
+          echo "Verifying no auth token is configured..."
+          if npm whoami >/dev/null 2>&1; then
+            echo "⚠ Warning: npm whoami succeeded without OIDC token"
+          else
+            echo "✓ Confirmed: npm whoami failed (OIDC will be used)"
+          fi
+          
           echo ""
-          echo "=== Auth token in registry ==="
-          npm config get //registry.npmjs.org/:_authToken | head -c 10 && echo "***[rest redacted]"
+          echo "Registry configuration:"
+          npm config get registry
+          npm config get @openrouter:registry || echo "  (no @openrouter scope override)"
+      
+      - name: Publish with OIDC
+        if: steps.changesets.outputs.hasChangesets == 'false'
+        run: pnpm changeset-publish
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      
+      - name: Post-mortem diagnostics
+        if: failure()
+        run: |
+          echo "=== Post-mortem Diagnostics ==="
+          echo "Versions:"
+          echo "  Node: $(node --version)"
+          echo "  npm: $(npm --version)"
+          echo "  pnpm: $(pnpm --version)"
           echo ""
-          echo "=== npm whoami ==="
-          npm whoami 2>&1 || echo "FAILED"
+          echo "Registry configuration:"
+          echo "  registry: $(npm config get registry)"
+          echo "  @openrouter scope: $(npm config get @openrouter:registry || echo '(inherited from global)')"
           echo ""
-          echo "=== npm ping ==="
-          npm ping 2>&1 || echo "FAILED"
+          echo ".npmrc files status:"
+          for npmrc in "$NPM_CONFIG_USERCONFIG" ~/.npmrc .npmrc; do
+            if [ -n "$npmrc" ] && [ -f "$npmrc" ]; then
+              echo "  $npmrc:"
+              echo "    Lines: $(wc -l < "$npmrc")"
+              echo "    Auth lines: $(grep -c "_auth\|_token" "$npmrc" || echo "0")"
+              echo "    Content (redacted):"
+              sed 's/\(_auth[^=]*=\).*/\1***REDACTED***/g; s/\(_token[^=]*=\).*/\1***REDACTED***/g' "$npmrc" | sed 's/^/      /'
+            fi
+          done
           echo ""
-          echo "=== Verify package exists on npm ==="
-          npm view @openrouter/ai-sdk-provider@latest version 2>&1 || echo "FAILED"
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      - name: Create Release Pull Request or Publish
-        uses: changesets/action@v1
-        with:
-          version: pnpm changeset-version
-          publish: pnpm changeset-publish
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          echo "Package availability:"
+          npm view @openrouter/ai-sdk-provider@latest version 2>&1 || echo "  (could not fetch)"