ci: use npm OIDC trusted publishing (no NPM_TOKEN)

piotrski · piotrski · commit 107550ec4551 · 2026-02-09T22:41:11.000+01:00
Replace static NPM_TOKEN auth with npm's OIDC trusted publishing.
Requires npm &gt;= 11.5.1 for OIDC support, so we install latest npm
via actions/setup-node. Also adds repository field to package.json
which npm requires for trusted publisher verification.
diff --git a/.github/workflows/changesets.yml b/.github/workflows/changesets.yml
@@ -22,14 +22,16 @@ jobs:
         with:
           bun-version: latest
 
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Update npm for OIDC trusted publishing
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: bun install
 
-      - name: Setup npm auth
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Build
         run: bun run build
 
@@ -40,4 +42,3 @@ jobs:
           version: bun run version
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: true
diff --git a/.github/workflows/snapshot-release.yml b/.github/workflows/snapshot-release.yml
@@ -21,6 +21,13 @@ jobs:
         with:
           bun-version: latest
 
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '22'
+
+      - name: Update npm for OIDC trusted publishing
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: bun install
 
@@ -32,9 +39,5 @@ jobs:
 
       - name: Publish snapshot to npm
         run: |
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
           npx changeset version --snapshot canary
           npx changeset publish --tag canary --no-git-tag
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_CONFIG_PROVENANCE: true
diff --git a/packages/agent-react-devtools/package.json b/packages/agent-react-devtools/package.json
@@ -14,6 +14,11 @@
     "typecheck": "tsc --noEmit",
     "lint": "tsc --noEmit"
   },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/piotrski/agent-react-devtools.git",
+    "directory": "packages/agent-react-devtools"
+  },
   "license": "MIT",
   "devDependencies": {
     "@types/node": "^22.0.0",
