From aa4a6b73a69c4b665f60f4fb4f0c86e0e382d406 Mon Sep 17 00:00:00 2001 From: Jake Klassen Date: Fri, 13 Mar 2026 11:05:58 -0400 Subject: [PATCH 1/2] ci: add --provenance flag for npm trusted publishing Closes #9 Co-Authored-By: Claude Opus 4.6 --- .github/workflows/release.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 9a6a1be..f4c047c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,4 +28,6 @@ jobs: GITHUB_TOKEN: ${{secrets.RELEASER_TOKEN}} - run: pnpm i - - run: pnpm publish --no-git-checks --access public --filter objecs + - run: pnpm publish --no-git-checks --access public --provenance --filter objecs + env: + NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}} From 6cde5821a177ea63f1ad0f29b7379543eaffe1f6 Mon Sep 17 00:00:00 2001 From: Jake Klassen Date: Fri, 13 Mar 2026 11:14:40 -0400 Subject: [PATCH 2/2] ci: remove NODE_AUTH_TOKEN to enforce OIDC-only publishing With trusted publishing configured, npm uses OIDC directly. Keeping NODE_AUTH_TOKEN would allow fallback to token-based auth, defeating the purpose of the migration. Co-Authored-By: Claude Opus 4.6 --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f4c047c..e030b11 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -28,6 +28,5 @@ jobs: GITHUB_TOKEN: ${{secrets.RELEASER_TOKEN}} - run: pnpm i + # OIDC trusted publishing — no token needed - run: pnpm publish --no-git-checks --access public --provenance --filter objecs - env: - NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}