Merge pull request #503 from cipherstash/ci/npm-oidc-trusted-publishing

ci: publish to npm via OIDC trusted publishing

Author: coderdan

.github/workflows/release.yml

@@ -35,7 +35,7 @@ jobs:
         with:
           node-version: 22
           # No `cache:`, and package-manager-cache disabled. release.yml
-          # publishes to npm (NPM_TOKEN + OIDC) and must not restore the
+          # publishes to npm (OIDC trusted publishing) and must not restore the
           # GitHub Actions cache — a cache-poisoning / supply-chain vector.
           # Enforced by .github/workflows/tests-supply-chain.yml.
           package-manager-cache: false
@@ -46,6 +46,11 @@ jobs:
       - name: Install node-gyp
         run: npm install -g node-gyp
 
+      # npm OIDC trusted publishing requires npm >= 11.5.1; Node 22 ships
+      # npm 10.x. `changeset publish` shells out to this npm to publish.
+      - name: Upgrade npm for OIDC trusted publishing
+        run: npm install -g npm@^11.5.1
+
       - name: Install dependencies
         run: pnpm install
 
@@ -56,5 +61,8 @@ jobs:
           publish: pnpm run release
           commitMode: 'github-api'
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # No NPM_TOKEN — publishing authenticates via npm OIDC trusted
+          # publishing (id-token: write above). If NPM_TOKEN is set,
+          # changesets/action writes a token .npmrc that shadows OIDC and
+          # every publish fails with E404 (see npm/cli#8976).
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

packages/cli/package.json

@@ -2,6 +2,11 @@
 	"name": "stash",
 	"version": "0.16.0",
 	"description": "CipherStash CLI — the one stash command for auth, init, encryption schema, database setup, and secrets.",
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/cipherstash/stack.git",
+		"directory": "packages/cli"
+	},
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",
 	"files": [

packages/drizzle/package.json

@@ -12,11 +12,12 @@
 		"postgres"
 	],
 	"bugs": {
-		"url": "https://github.com/cipherstash/protectjs/issues"
+		"url": "https://github.com/cipherstash/stack/issues"
 	},
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/cipherstash/protectjs.git"
+		"url": "git+https://github.com/cipherstash/stack.git",
+		"directory": "packages/drizzle"
 	},
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",

packages/migrate/package.json

@@ -2,6 +2,11 @@
   "name": "@cipherstash/migrate",
   "version": "0.2.0",
   "description": "Plaintext-to-encrypted column migration for CipherStash: resumable backfill, per-column state, and EQL lifecycle orchestration.",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/cipherstash/stack.git",
+    "directory": "packages/migrate"
+  },
   "keywords": [
     "cipherstash",
     "encryption",

packages/nextjs/package.json

@@ -9,11 +9,12 @@
 		"nextjs"
 	],
 	"bugs": {
-		"url": "https://github.com/cipherstash/protectjs/issues"
+		"url": "https://github.com/cipherstash/stack/issues"
 	},
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/cipherstash/protectjs.git"
+		"url": "git+https://github.com/cipherstash/stack.git",
+		"directory": "packages/nextjs"
 	},
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",

packages/protect-dynamodb/package.json

@@ -11,11 +11,12 @@
 		"security"
 	],
 	"bugs": {
-		"url": "https://github.com/cipherstash/protectjs/issues"
+		"url": "https://github.com/cipherstash/stack/issues"
 	},
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/cipherstash/protectjs.git"
+		"url": "git+https://github.com/cipherstash/stack.git",
+		"directory": "packages/protect-dynamodb"
 	},
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",

packages/protect/package.json

@@ -11,11 +11,12 @@
 		"protect"
 	],
 	"bugs": {
-		"url": "https://github.com/cipherstash/protectjs/issues"
+		"url": "https://github.com/cipherstash/stack/issues"
 	},
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/cipherstash/protectjs.git"
+		"url": "git+https://github.com/cipherstash/stack.git",
+		"directory": "packages/protect"
 	},
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",

packages/schema/package.json

@@ -9,11 +9,12 @@
 		"builder"
 	],
 	"bugs": {
-		"url": "https://github.com/cipherstash/protectjs/issues"
+		"url": "https://github.com/cipherstash/stack/issues"
 	},
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/cipherstash/protectjs.git"
+		"url": "git+https://github.com/cipherstash/stack.git",
+		"directory": "packages/schema"
 	},
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",

packages/stack/package.json

@@ -11,11 +11,11 @@
 		"stack"
 	],
 	"bugs": {
-		"url": "https://github.com/cipherstash/protectjs/issues"
+		"url": "https://github.com/cipherstash/stack/issues"
 	},
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/cipherstash/protectjs.git",
+		"url": "git+https://github.com/cipherstash/stack.git",
 		"directory": "packages/stack"
 	},
 	"license": "MIT",

packages/wizard/package.json

@@ -2,6 +2,11 @@
 	"name": "@cipherstash/wizard",
 	"version": "0.3.0",
 	"description": "AI-powered encryption setup for CipherStash. Reads your codebase, picks columns to encrypt, and wires everything up.",
+	"repository": {
+		"type": "git",
+		"url": "git+https://github.com/cipherstash/stack.git",
+		"directory": "packages/wizard"
+	},
 	"license": "MIT",
 	"author": "CipherStash <hello@cipherstash.com>",
 	"files": [