feat(ci): add npm OIDC trusted publishing with provenance

CybotTM · CybotTM · commit cb67c1f8f14b · 2026-02-16T14:31:54.000+01:00
- Add id-token: write permission for OIDC token generation
- Switch from yarn publish to npm publish --provenance (Yarn 1.x
  does not support provenance attestations)
- NPM_TOKEN kept as fallback until trusted publishing is configured
  on npmjs.com
- Fix pr-quality.yml: secrets can't be referenced in if conditions;
  use fallback expression and || true for graceful failure
diff --git a/.github/workflows/pr-quality.yml b/.github/workflows/pr-quality.yml
@@ -52,8 +52,8 @@ jobs:
               run: gh pr review --approve "$PR_URL"
 
             - name: Auto-approve (bot via APPROVE_TOKEN)
-              if: steps.check-permission.outputs.permission == 'bot' && secrets.APPROVE_TOKEN != ''
+              if: steps.check-permission.outputs.permission == 'bot'
               env:
                   PR_URL: ${{ github.event.pull_request.html_url }}
-                  GH_TOKEN: ${{ secrets.APPROVE_TOKEN }}
-              run: gh pr review --approve "$PR_URL"
+                  GH_TOKEN: ${{ secrets.APPROVE_TOKEN || secrets.GITHUB_TOKEN }}
+              run: gh pr review --approve "$PR_URL" || true
diff --git a/.github/workflows/release.when-tagged.yml b/.github/workflows/release.when-tagged.yml
@@ -1,6 +1,10 @@
 # Publish and create GitHub Release when a signed tag is pushed.
 # Triggered by: git tag -s vX.Y.Z -m "vX.Y.Z" && git push origin vX.Y.Z
 # Also available via workflow_dispatch for manual reruns.
+#
+# npm authentication uses OIDC trusted publishing (no NPM_TOKEN needed).
+# Setup: https://www.npmjs.com/package/@netresearch/node-magento-eqp/access
+# → Trusted Publisher → GitHub Actions → workflow: release.when-tagged.yml
 
 name: 📦☁️ Release
 
@@ -13,6 +17,7 @@ on:
 permissions:
     contents: write
     packages: write
+    id-token: write # OIDC trusted publishing to npm
 
 env:
     HUSKY: '0'
@@ -37,8 +42,8 @@ jobs:
             - name: 🔨 Build
               run: yarn build:lib
 
-            - name: ☁️ Publish to NPM
-              run: yarn publish --access=public
+            - name: ☁️ Publish to NPM (OIDC + provenance)
+              run: npm publish --access=public --provenance
               env:
                   NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -49,7 +54,7 @@ jobs:
                   scope: '@netresearch'
 
             - name: ☁️ Publish to GitHub Package Registry
-              run: yarn publish --access=public
+              run: npm publish --access=public
               env:
                   NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
