From 897e12f46a66c559acc9bcfcd12efe3ba6e37cec Mon Sep 17 00:00:00 2001
From: Anjey Tsibylskij <130153594+atldays@users.noreply.github.com>
Date: Fri, 13 Mar 2026 15:55:38 +0200
Subject: [PATCH] ci(workflow): add OIDC diagnostics and registry URL to
 release workflow

---
 .github/workflows/release.yml | 49 +++++++++++++++++++++++++++++++++++
 1 file changed, 49 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index adcfd3f..2fd10c0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -50,12 +50,61 @@ jobs:
         with:
           node-version: 22
           cache: 'npm'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Update npm
         run: |
           npm install -g npm@11.7.0
           npm -v
 
+      - name: Diagnostic info
+        run: |
+          echo "node=$(node -v)"
+          echo "npm=$(npm -v)"
+          if [ -n "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" ]; then
+            echo "oidc=available"
+          else
+            echo "oidc=missing"
+          fi
+
+      - name: Inspect OIDC claims
+        run: |
+          if [ -z "${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" ] || [ -z "${ACTIONS_ID_TOKEN_REQUEST_URL}" ]; then
+            echo "OIDC token request env vars are missing"
+            exit 1
+          fi
+
+          RESPONSE="$(curl -sSf -H "Authorization: bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org")"
+          OIDC_TOKEN="$(node -e 'const fs = require("fs"); const input = fs.readFileSync(0, "utf8"); process.stdout.write(JSON.parse(input).value);' <<< "$RESPONSE")"
+
+          node - <<'EOF' "$OIDC_TOKEN"
+          const token = process.argv[2];
+          const payload = token.split(".")[1];
+
+          if (!payload) {
+            throw new Error("Unable to decode OIDC token payload");
+          }
+
+          const claims = JSON.parse(Buffer.from(payload, "base64url").toString("utf8"));
+          const out = {
+            aud: claims.aud,
+            repository: claims.repository,
+            repository_owner: claims.repository_owner,
+            ref: claims.ref,
+            sha: claims.sha,
+            event_name: claims.event_name,
+            workflow: claims.workflow,
+            workflow_ref: claims.workflow_ref,
+            job_workflow_ref: claims.job_workflow_ref,
+            runner_environment: claims.runner_environment,
+            environment: claims.environment,
+            actor: claims.actor,
+            sub: claims.sub,
+          };
+
+          console.log(JSON.stringify(out, null, 2));
+          EOF
+
       - name: Install dependencies
         run: npm ci