ci: add OIDC provenance support for npm publishing

wangdicoder · wangdicoder · commit c3841469b32b · 2026-03-12T14:17:58.000+11:00
- Add id-token: write permission for OIDC token generation
- Add registry-url to setup-node for npm auth
- Set NPM_CONFIG_PROVENANCE to publish with provenance via OIDC
- Bypasses 2FA/OTP requirement for automated publishing
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -13,6 +13,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
 
     steps:
       - uses: actions/checkout@v4
@@ -24,6 +25,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 22
+          registry-url: 'https://registry.npmjs.org'
           cache: 'pnpm'
 
       - name: Install dependencies
@@ -43,3 +45,4 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
