From b55e5eba3e3ccbbbdeb6b516a1c29408a00ed091 Mon Sep 17 00:00:00 2001
From: Xiaojun Weng <xiaojunweng@users.noreply.github.com>
Date: Thu, 30 Apr 2026 11:30:37 +0800
Subject: [PATCH 1/2] ci: use npm trusted publishing

---
 .github/workflows/publish.yml | 58 ++++++++++++++++++++++++++---------
 1 file changed, 43 insertions(+), 15 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 6184a5067..3e53660c9 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,10 +4,17 @@ on:
   pull_request:
     branches:
       - main
-      - 'v*-dev'
-      - 'v*-stable'
+      - "v*-dev"
+      - "v*-stable"
     types: [closed]
 
+permissions:
+  contents: write
+  actions: read
+  issues: read
+  pull-requests: read
+  id-token: write
+
 jobs:
   publish:
     if: github.event.pull_request.merged == true
@@ -20,7 +27,7 @@ jobs:
       - name: checkout
         uses: actions/checkout@v4
       - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
       - name: Setup yarn
@@ -33,11 +40,6 @@ jobs:
       - name: Copy Readme
         run: |
           cp ./README.md packages/eagle/README.md
-      - name: Write .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          echo //registry.npmjs.org/:_authToken=$NPM_TOKEN >> ~/.npmrc
       - name: Set Current Version
         run: |
           CURRENT_VERSION=$(node -p 'require("./lerna.json").version')
@@ -64,14 +66,43 @@ jobs:
           github_repo: ${{ github.repository }}
           git_commit_sha: ${{ github.sha }}
           git_tag_prefix: "v"
+      - name: Setup npm trusted publishing
+        if: steps.tag_check.outputs.exists_tag == 'false'
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22.14.0
+          registry-url: https://registry.npmjs.org
+      - name: Install npm with OIDC support
+        if: steps.tag_check.outputs.exists_tag == 'false'
+        run: |
+          npm install -g npm@^11.5.1
+          npm --version
       - name: Publish
         uses: nick-fields/retry@v2
         if: steps.tag_check.outputs.exists_tag == 'false'
         with:
-          timeout_minutes: 10  # 设置超时时间，单位为分钟
-          max_attempts: 3  # 设置最大重试次数
+          timeout_minutes: 10 # 设置超时时间，单位为分钟
+          max_attempts: 3 # 设置最大重试次数
           command: |
-            yarn lerna publish from-package --no-verify-access --yes
+            set -eu
+            ./node_modules/.bin/lerna list --toposort --json --loglevel silent > /tmp/publish-packages.json
+            node -e '
+              const fs = require("fs");
+              const packages = JSON.parse(fs.readFileSync("/tmp/publish-packages.json", "utf8"));
+              for (const pkg of packages) {
+                const manifest = require(`${process.cwd()}/${pkg.location}/package.json`);
+                if (manifest.private) continue;
+                console.log(`${pkg.location}\t${manifest.name}\t${manifest.version}`);
+              }
+            ' > /tmp/publish-list.tsv
+            while IFS="$(printf '\t')" read -r location name version; do
+              if npm view "${name}@${version}" version >/dev/null 2>&1; then
+                echo "Skip ${name}@${version}: already published"
+              else
+                echo "Publish ${name}@${version}"
+                npm publish "${location}" --access public
+              fi
+            done < /tmp/publish-list.tsv
       - name: Get Output
         if: steps.tag_check.outputs.exists_tag == 'false'
         uses: dawidd6/action-download-artifact@v6
@@ -131,9 +162,6 @@ jobs:
         uses: softprops/action-gh-release@v1
         with:
           body: ${{steps.github_release.outputs.changelog}}
-          tag_name: 'v${{ env.CURRENT_VERSION }}'
+          tag_name: "v${{ env.CURRENT_VERSION }}"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      - name: Clean .npmrc
-        if: always()
-        run: rm ~/.npmrc

From 2c7926356c22f897f26f86048e0f1c3fa232f56b Mon Sep 17 00:00:00 2001
From: Xiaojun Weng <xiaojunweng@users.noreply.github.com>
Date: Thu, 30 Apr 2026 11:36:14 +0800
Subject: [PATCH 2/2] ci: keep lerna publish for trusted publishing

---
 .github/workflows/publish.yml | 20 +-------------------
 1 file changed, 1 insertion(+), 19 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3e53660c9..c368c4623 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -84,25 +84,7 @@ jobs:
           timeout_minutes: 10 # 设置超时时间，单位为分钟
           max_attempts: 3 # 设置最大重试次数
           command: |
-            set -eu
-            ./node_modules/.bin/lerna list --toposort --json --loglevel silent > /tmp/publish-packages.json
-            node -e '
-              const fs = require("fs");
-              const packages = JSON.parse(fs.readFileSync("/tmp/publish-packages.json", "utf8"));
-              for (const pkg of packages) {
-                const manifest = require(`${process.cwd()}/${pkg.location}/package.json`);
-                if (manifest.private) continue;
-                console.log(`${pkg.location}\t${manifest.name}\t${manifest.version}`);
-              }
-            ' > /tmp/publish-list.tsv
-            while IFS="$(printf '\t')" read -r location name version; do
-              if npm view "${name}@${version}" version >/dev/null 2>&1; then
-                echo "Skip ${name}@${version}: already published"
-              else
-                echo "Publish ${name}@${version}"
-                npm publish "${location}" --access public
-              fi
-            done < /tmp/publish-list.tsv
+            yarn lerna publish from-package --no-verify-access --yes
       - name: Get Output
         if: steps.tag_check.outputs.exists_tag == 'false'
         uses: dawidd6/action-download-artifact@v6