From 80f1321c73319b56571e2c2d795a90e0ffd14514 Mon Sep 17 00:00:00 2001
From: Kurt Overmier <kurt@stackbilt.dev>
Date: Sat, 18 Apr 2026 06:26:41 -0500
Subject: [PATCH] ci(release): swap pnpm for npm in publish step for
 trusted-publisher OIDC
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pnpm 9's `--provenance` attaches attestations via OIDC but still
uses NODE_AUTH_TOKEN for publish auth. npm CLI's `--provenance`
does the full OIDC-based publish auth that npm trusted publishers
expect.

v0.12.0 release attempts returned `E404` on the first package
(@stackbilt/adf) — npm's stealth 404 for trusted-publisher auth
rejection. Trusted-publisher config verified identical across all
11 packages; hypothesis is that pnpm's token-auth path is being
rejected by npm for packages with trusted-publisher configured.

`npm publish --workspaces` iterates all non-private packages in
`packages/*/` (root package.json declares the workspace glob).
NODE_AUTH_TOKEN retained as belt-and-braces for any package
without a trusted publisher.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a1c20aa..2f381be 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -139,4 +139,4 @@ jobs:
       - name: Publish to npm
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: pnpm -r publish --access public --no-git-checks --provenance
+        run: npm publish --workspaces --access public --provenance