From ea2aa666ff22b057c40e602fefbc25469e7aa820 Mon Sep 17 00:00:00 2001
From: Kevin Viricel <kevin.viricel@datadoghq.com>
Date: Thu, 16 Apr 2026 01:14:31 +0200
Subject: [PATCH] AAWF-694: Migrate NPM publishing to OIDC trusted publishing

Switch from classic NPM token auth to OIDC trusted publishing:
- Add id-token: write permission for OIDC
- Upgrade to actions/setup-node@v4 with Node 24 and registry-url
- Replace yarn publish with npm publish --provenance
- Remove YARN_NPM_AUTH_TOKEN secret dependency

Trusted Publisher has been configured on npmjs.com for all 117
@datadog/datadog-api-client* packages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 24 ++++++------------------
 1 file changed, 6 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 096a254e5863..9a24cdb1f928 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -2,6 +2,7 @@ name: Publish package on NPM
 
 permissions:
   contents: write
+  id-token: write # Required for OIDC trusted publishing
 
 on:
   release:
@@ -15,9 +16,10 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 1
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: 18
+          node-version: 24
+          registry-url: 'https://registry.npmjs.org'
       - name: Releasing tag ${{ github.event.release.tag_name }}
         run: |
           corepack enable; yarn
@@ -29,24 +31,10 @@ jobs:
             cd $(echo $tag_name | rev | cut -d'/' -f2- | rev)
           fi
 
-          yarn_major_version=$(yarn --version | cut -d'.' -f1)
-          if [ "$yarn_major_version" -ge 2 ] && [ "$yarn_major_version" -le 4 ]; then
-            cmd="yarn npm publish --access public"
-          elif [ "$yarn_major_version" -eq 1 ]; then
-            cmd="yarn publish --access public"
-          else
-            echo "Unsupported Yarn version: $yarn_major_version"
-            exit 1
-          fi
-
           if [ "${{ github.event.release.prerelease }}" == "true" ]; then
-            cmd+=" --tag=beta"
+            npm publish --provenance --access public --tag beta
           else
-            cmd+=" --tag=latest"
+            npm publish --provenance --access public --tag latest
           fi
-
-          eval $cmd
         env:
-          NPM_AUTH_TOKEN: ${{ secrets.YARN_NPM_AUTH_TOKEN }}
-          YARN_NPM_AUTH_TOKEN: ${{ secrets.YARN_NPM_AUTH_TOKEN }}
           COREPACK_ENABLE_DOWNLOAD_PROMPT: 0