From 81ce7c07091c73d7d710ddca656e7d31e27a16de Mon Sep 17 00:00:00 2001
From: Jason Kummerl <jason.h@kummerl.com>
Date: Thu, 25 Jun 2026 16:02:27 -0400
Subject: [PATCH] ci(npm-publish): add environment: production to publish job
 for OIDC

The npm trusted publisher for @humanspeak/svelte-diff-match-patch is scoped
to the `production` environment, but the publish-github-packages job did not
declare `environment: production`. Without it the OIDC token GitHub mints
lacks the environment claim, so npm rejects the trusted-publish with
ENEEDAUTH (run 28196102507). Every other repo in the fleet already sets this.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/npm-publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index b14269d..a4d3a9b 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -307,6 +307,7 @@ jobs:
         needs: [check-if-merged, build, playwright-tests, coverage-report]
         if: needs.check-if-merged.outputs.should_run == 'true'
         runs-on: ubuntu-latest
+        environment: production
         permissions:
             contents: write
             packages: write