ci(publish): enhance npm Trusted Publishers workflow with provenance and config cleanup

OhYee · OhYee · commit f81de5ded6ef · 2026-01-04T01:02:23.000+08:00
Add provenance flag for npm publish to enable package attestation
and remove conflicting .npmrc files that may interfere with OIDC
authentication. Includes debug logging for npm configuration and
version information to aid troubleshooting.

  这个提交增强了 npm Trusted Publishers 工作流程，添加了来源证明功能并清理了配置文件。
  为 npm publish 添加了 provenance 标志以启用包证明，并删除了可能干扰 OIDC 身份验证的
  冲突 .npmrc 文件。包含了 npm 配置和版本信息的调试日志以帮助故障排除。

Change-Id: I9ffba9ff52e5c025441df0a90a45386876bb3e7b
Signed-off-by: OhYee &lt;oyohyee@oyohyee.com&gt;
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -124,11 +124,20 @@ jobs:
           PACKAGE_NAME="${{ steps.version.outputs.PACKAGE_NAME }}"
           VERSION="${{ steps.version.outputs.VERSION }}"
           echo "Publishing ${PACKAGE_NAME}@${VERSION} with tag=test"
-          npm publish --tag test --access public
-        env:
-          # Unset NODE_AUTH_TOKEN to force npm to use OIDC authentication
-          # Organization may have NPM_TOKEN configured, but we want Trusted Publishers
-          NODE_AUTH_TOKEN: ''
+          
+          # Remove any .npmrc that might interfere with OIDC
+          rm -f ~/.npmrc
+          rm -f .npmrc
+          rm -f /home/runner/work/_temp/.npmrc
+          
+          # Debug: show npm config
+          echo "=== npm config ==="
+          npm config list
+          echo "=== npm version ==="
+          npm --version
+          
+          # Publish using Trusted Publishers (OIDC)
+          npm publish --tag test --access public --provenance
 
       - name: Summary
         run: |
@@ -266,11 +275,14 @@ jobs:
           PACKAGE_NAME="${{ steps.config.outputs.PACKAGE_NAME }}"
           VERSION="${{ steps.config.outputs.VERSION }}"
           echo "Publishing ${PACKAGE_NAME}@${VERSION} with tag=latest"
-          npm publish --tag latest --access public
-        env:
-          # Unset NODE_AUTH_TOKEN to force npm to use OIDC authentication
-          # Organization may have NPM_TOKEN configured, but we want Trusted Publishers
-          NODE_AUTH_TOKEN: ''
+          
+          # Remove any .npmrc that might interfere with OIDC
+          rm -f ~/.npmrc
+          rm -f .npmrc
+          rm -f /home/runner/work/_temp/.npmrc
+          
+          # Publish using Trusted Publishers (OIDC)
+          npm publish --tag latest --access public --provenance
 
       - name: Summary
         run: |
@@ -356,11 +368,14 @@ jobs:
           PACKAGE_NAME="${{ steps.version.outputs.PACKAGE_NAME }}"
           VERSION="${{ steps.version.outputs.VERSION }}"
           echo "Publishing ${PACKAGE_NAME}@${VERSION} with tag=test"
-          npm publish --tag test --access public
-        env:
-          # Unset NODE_AUTH_TOKEN to force npm to use OIDC authentication
-          # Organization may have NPM_TOKEN configured, but we want Trusted Publishers
-          NODE_AUTH_TOKEN: ''
+          
+          # Remove any .npmrc that might interfere with OIDC
+          rm -f ~/.npmrc
+          rm -f .npmrc
+          rm -f /home/runner/work/_temp/.npmrc
+          
+          # Publish using Trusted Publishers (OIDC)
+          npm publish --tag test --access public --provenance
 
       - name: Summary
         run: |
