feat: Migrate from NPM_TOKEN to OIDC Trusted Publishing

[ryota-murakami]

Summary

Migrate npm publishing from long-lived NPM_TOKEN to OIDC Trusted Publishing for enhanced security.

Background

The Shai-Hulud worm attack (2025) compromised 1,150+ npm packages by stealing NPM_TOKEN secrets. npm's response: OIDC Trusted Publishing (GA July 2025) eliminates long-lived tokens entirely.

Tasks

• Configure Trusted Publishing on npmjs.com
  • Package Settings → Trusted Publishing → Add GitHub Actions
  • Set: laststance, create-react-app-vite, release.yml
  • Note: npm package name is @laststance/create-react-app
• Update .github/workflows/release.yml
  • Add id-token: write permission
  • Use Node 24 (includes npm 11.x with OIDC support)
  • SHA-pin all GitHub Actions
  • Add --ignore-scripts to install
  • Remove NPM_TOKEN usage
• Update .release-it.json
  • Add "skipChecks": true for OIDC compatibility
• Test release

Security Improvements

Before	After
Long-lived NPM_TOKEN	Short-lived OIDC tokens (15 min)
Token stored in secrets	No secrets needed
Manual provenance	Automatic provenance attestations

Reference

• npm-publish-tool v2.0.0 - Already migrated
• npm Trusted Publishing Docs