feat: switch npm publish to OIDC trusted publishing

lilith · lilith · commit 0b8f07cbdcf3 · 2026-02-26T18:15:01.000-07:00
- Add permissions (id-token: write) for OIDC provenance
- Bump Node from 20 to 22 (npm CLI 11.5.1+ required for OIDC)
- Add --provenance flag for supply chain attestation
- Remove NPM_TOKEN secret (classic tokens revoked Dec 2025)
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -7,13 +7,16 @@ on:
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           registry-url: https://registry.npmjs.org/
 
       - name: Install dependencies
@@ -23,6 +26,4 @@ jobs:
         run: npm run build
 
       - name: Publish to npm
-        run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public --provenance
