Does goreleaser-pro support publishing to npm via the Trusted Publishers workflow?

[frenchi]

Context

NPM's Trusted Publishers lets you publish via CI/CD using OIDC instead of long-lived tokens, improving security with automatic provenance and shorter credential lifetimes.

Issue:

I was previously able to successful publish to NPM with the following config:

...
npms:
  - id: run-mcp
    name: "@ensignia/run-mcp"
    description: A fast, portable, single-binary security scanner for the Model Context Protocol (MCP).
    homepage: https://github.com/ensigniasec/run-mcp
    keywords:
      - cli
      - golang
      - mcp
      - security
      - scanner
    license: Apache-2.0
    author: Ensignia Security [email-protected]
    repository: https://github.com/ensigniasec/run-mcp
    bugs: https://github.com/ensigniasec/run-mcp/issues
    access: public
    format: tar.gz
...

However, after enabling NPM's Trusted Publishers and following the steps to require two factor auth and disable access tokens, I seem to be trapped between failures when I submit with an NPM_TOKEN:

#  https://github.com/ensigniasec/run-mcp/actions/runs/17846686768/job/50747398652
...
npm notice Publishing to https://registry.npmjs.org/ with tag latest and public access
npm error code E403
npm error 403 403 Forbidden - PUT https://registry.npmjs.org/@ensignia%2frun-mcp - Two-factor authentication is required to publish this package but an automation token was specified
npm error 403 In most cases, you or one of your dependencies are requesting
npm error 403 a package version that is forbidden by your security policy, or
npm error 403 on a server you do not have access to.

and failures when I submit without an NPM_TOKEN (recommended Trusted Publishers approach)

# https://github.com/ensigniasec/run-mcp/actions/runs/17846938123/job/50752136472
...
npm error code ENEEDAUTH
npm error need auth This command requires you to be logged in to https://registry.npmjs.org/
npm error need auth You need to authorize this machine using `npm adduser`
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2025-09-19T04_21_58_393Z-debug-0.log

Workaround:

Downgrading to long-lived tokens allowed this workflow to succeed.

Under Package → Settings → Publishing access

Questions:

• Does goreleaser-pro plan to support NPM's Trusted Publishers?
• What in goreleaser-pro's existing NPM Publish workflow uses long-lived access tokens?

[frenchi]

On further testing, I can't repro the error & goreleaser does currently support Trusted Publishers workflow: https://github.com/frenchi/test-goreleaser-npm-trusted