From ee85d1c2d9bb1309799fcec4ea925f7f09a3ba23 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Tomasz=20Cichoci=C5=84ski?= <tomaszcichocinski@gmail.com>
Date: Mon, 25 May 2026 21:11:44 +0200
Subject: [PATCH] ci: switch npm publish to Trusted Publishing (OIDC)

Replaces the NPM_TOKEN secret with npm's OIDC-based trusted publisher
auth so CI no longer trips over the 2FA OTP prompt that blocked recent
publishes. Adds id-token: write to both the called workflow and the
caller, bumps setup-node to v4 and Node to 22 (required for npm
>= 11.5.1, which performs the OIDC exchange), and drops NODE_AUTH_TOKEN.

Requires the @jam.dev/rimless package to have a trusted publisher
configured on npmjs.com pointing at jamdotdev/rimless +
npm-publish.yml before this merges.
---
 .github/workflows/npm-publish.yml     | 15 ++++++++-------
 .github/workflows/publish-release.yml |  7 +++++--
 2 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index a6e5b9a..53a330e 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -5,12 +5,15 @@ on:
     types: [published]
   # or it is called by another workflow
   workflow_call:
-    secrets:
-      NPM_TOKEN:
-        required: true
 jobs:
   build:
     runs-on: ubuntu-latest
+    # Required for npm Trusted Publishing (OIDC). Without `id-token: write`
+    # GitHub will not mint the OIDC token that npm exchanges for a
+    # short-lived publish credential.
+    permissions:
+      id-token: write
+      contents: read
     # When invoked via `workflow_call`, `github.event_name` reflects the
     # ROOT triggering event of the caller (e.g. `pull_request`), NOT
     # `workflow_call` — so a `== 'workflow_call'` check never matches.
@@ -24,13 +27,11 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: "20.x"
+          node-version: "22"
           registry-url: "https://registry.npmjs.org"
       - name: Install dependencies
         run: npm ci
       - name: Publish package on NPM
         run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index c1f624f..353adfa 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -90,5 +90,8 @@ jobs:
   publish-package:
     needs: publish-release
     uses: ./.github/workflows/npm-publish.yml
-    secrets:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    # npm Trusted Publishing (OIDC) — no NPM_TOKEN secret needed.
+    # The called workflow declares `permissions: id-token: write` itself.
+    permissions:
+      id-token: write
+      contents: read