ci(publish): configure npm Trusted Publishers authentication

OhYee · OhYee · commit ca0666e3c57c · 2026-01-04T00:57:03.000+08:00
Configure npm Trusted Publishers authentication by setting registry-url
and unsetting NODE_AUTH_TOKEN to force OIDC authentication in publish
workflow, replacing the previous approach that relied on npm CLI
handling OIDC auth implicitly.

// 配置 npm 可信发布者身份验证，通过设置 registry-url
// 并取消设置 NODE_AUTH_TOKEN 以在发布工作流程中强制使用 OIDC 身份验证，
// 替换了之前依赖 npm CLI 隐式处理 OIDC 身份验证的方法。

Change-Id: I90b04ec15b767d1f16604e291c998da98d9d6514
Signed-off-by: OhYee &lt;oyohyee@oyohyee.com&gt;
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -70,15 +70,13 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '20'
-          # Note: Do NOT set registry-url here, let npm CLI handle OIDC auth
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Upgrade npm for Trusted Publishers
         run: |
           npm --version
           npm install -g npm@latest
           npm --version
-          # Verify npm is configured correctly for Trusted Publishers
-          npm config list
 
       - name: Determine test version
         id: version
@@ -127,6 +125,10 @@ jobs:
           VERSION="${{ steps.version.outputs.VERSION }}"
           echo "Publishing ${PACKAGE_NAME}@${VERSION} with tag=test"
           npm publish --tag test --access public
+        env:
+          # Unset NODE_AUTH_TOKEN to force npm to use OIDC authentication
+          # Organization may have NPM_TOKEN configured, but we want Trusted Publishers
+          NODE_AUTH_TOKEN: ''
 
       - name: Summary
         run: |
@@ -165,15 +167,13 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '20'
-          # Note: Do NOT set registry-url here, let npm CLI handle OIDC auth
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Upgrade npm for Trusted Publishers
         run: |
           npm --version
           npm install -g npm@latest
           npm --version
-          # Verify npm is configured correctly for Trusted Publishers
-          npm config list
 
       - name: Determine version
         id: config
@@ -267,6 +267,10 @@ jobs:
           VERSION="${{ steps.config.outputs.VERSION }}"
           echo "Publishing ${PACKAGE_NAME}@${VERSION} with tag=latest"
           npm publish --tag latest --access public
+        env:
+          # Unset NODE_AUTH_TOKEN to force npm to use OIDC authentication
+          # Organization may have NPM_TOKEN configured, but we want Trusted Publishers
+          NODE_AUTH_TOKEN: ''
 
       - name: Summary
         run: |
@@ -302,15 +306,13 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: '20'
-          # Note: Do NOT set registry-url here, let npm CLI handle OIDC auth
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Upgrade npm for Trusted Publishers
         run: |
           npm --version
           npm install -g npm@latest
           npm --version
-          # Verify npm is configured correctly for Trusted Publishers
-          npm config list
 
       - name: Determine version
         id: version
@@ -355,6 +357,10 @@ jobs:
           VERSION="${{ steps.version.outputs.VERSION }}"
           echo "Publishing ${PACKAGE_NAME}@${VERSION} with tag=test"
           npm publish --tag test --access public
+        env:
+          # Unset NODE_AUTH_TOKEN to force npm to use OIDC authentication
+          # Organization may have NPM_TOKEN configured, but we want Trusted Publishers
+          NODE_AUTH_TOKEN: ''
 
       - name: Summary
         run: |
