From fc1101d23a49b96ae1748b822a03c21166a91453 Mon Sep 17 00:00:00 2001
From: Myles Scolnick <myles@marimo.io>
Date: Tue, 12 May 2026 13:29:26 -0400
Subject: [PATCH 1/4] chore(ci): split release.yml into
 build/publish/release-notes/notify jobs

Splits the single release job into 4 jobs so the `id-token: write` scope is held only by a publish job that runs `npm publish` exclusively (no install/test/build/exec).

- build (no id-token): install, typecheck, test, build, validate, upload dist/ + package metadata as artifact.
- publish (id-token: write): download artifact, npm publish --ignore-scripts.
- release-notes (contents: write, no id-token): npx changelogithub.
- notify (if: always()): slack notification, aggregates needs.*.result.

Resolves the supply-chain audit oidc-publish-fused finding. Motivated by the TanStack npm supply-chain compromise (May 2026).
---
 .github/workflows/release.yml | 58 +++++++++++++++++++++++++++++------
 1 file changed, 49 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 02b444f..b2500f2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,8 +1,7 @@
 name: Release
 
 permissions:
-  id-token: write  # Required for OIDC
-  contents: write
+  contents: read
 
 on:
   push:
@@ -10,7 +9,7 @@ on:
       - 'v*'
 
 jobs:
-  release:
+  build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
@@ -24,10 +23,8 @@ jobs:
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: 24
-          registry-url: 'https://registry.npmjs.org'
           cache: pnpm
 
-
       - name: 📥 Install dependencies
         run: pnpm install --frozen-lockfile
 
@@ -64,21 +61,64 @@ jobs:
 
           echo "✅ Build artifacts validation passed"
 
+      - name: 📤 Upload package artifact
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: package
+          path: |
+            dist/
+            package.json
+            README.md
+            LICENSE
+          retention-days: 1
+          if-no-files-found: error
+
+  publish:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - name: ⎔ Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
+        with:
+          node-version: 24
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: 📥 Download package artifact
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          name: package
+
       - name: 📦 Publish to NPM
-        run: pnpm publish --no-git-checks
+        run: npm publish --ignore-scripts
         env:
           NODE_AUTH_TOKEN: "" # Clear placeholder set by setup-node to enable OIDC
 
+  release-notes:
+    needs: publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
 
       - name: 📝 Update Changelog
         run: npx changelogithub
         env:
-          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
+  notify:
+    needs: [build, publish, release-notes]
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
       - name: 📣 Notify release result
-        if: always()
         uses: marimo-team/internal-gh-actions/release-notification@ba06d4db1f3c5c9b86983ce409e57196f8376777 # main
         with:
-          status: ${{ job.status }}
+          status: ${{ contains(needs.*.result, 'failure') && 'failure' || 'success' }}
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL_RELEASES }}
           artifact-url: "https://npmjs.com/package/@marimo-team/codemirror-sql"

From 7ad02e470ce1d0614513968313b7328a24ac2b5b Mon Sep 17 00:00:00 2001
From: Myles Scolnick <myles@marimo.io>
Date: Tue, 12 May 2026 13:42:22 -0400
Subject: [PATCH 2/4] fix(ci): bump publish node-version to 24, add setup-node
 to release-notes, handle cancelled in notify

---
 .github/workflows/release.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b2500f2..ba893f4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -106,6 +106,11 @@ jobs:
         with:
           fetch-depth: 0
 
+      - name: ⎔ Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 24
+
       - name: 📝 Update Changelog
         run: npx changelogithub
         env:
@@ -119,6 +124,6 @@ jobs:
       - name: 📣 Notify release result
         uses: marimo-team/internal-gh-actions/release-notification@ba06d4db1f3c5c9b86983ce409e57196f8376777 # main
         with:
-          status: ${{ contains(needs.*.result, 'failure') && 'failure' || 'success' }}
+          status: ${{ (contains(needs.*.result, 'failure') || contains(needs.*.result, 'cancelled')) && 'failure' || 'success' }}
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL_RELEASES }}
           artifact-url: "https://npmjs.com/package/@marimo-team/codemirror-sql"

From 60371d631fdaaeb868cf41658efe12c5654178da Mon Sep 17 00:00:00 2001
From: Myles Scolnick <myles@marimo.io>
Date: Tue, 12 May 2026 13:48:03 -0400
Subject: [PATCH 3/4] fix(ci): use pnpm publish --no-git-checks instead of npm
 publish

---
 .github/workflows/release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ba893f4..7c809b5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -80,7 +80,10 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - name: ⎔ Setup Node.js
+      - name: ⎔ Setup pnpm
+        uses: pnpm/action-setup@b906affcce14559ad1aafd4ab0e942779e9f58b1 # v4
+
+            - name: ⎔ Setup Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6
         with:
           node-version: 24
@@ -92,7 +95,7 @@ jobs:
           name: package
 
       - name: 📦 Publish to NPM
-        run: npm publish --ignore-scripts
+        run: pnpm publish --no-git-checks --ignore-scripts
         env:
           NODE_AUTH_TOKEN: "" # Clear placeholder set by setup-node to enable OIDC
 

From 5cf80151d4fa080cfe94b4fda05d3bc15df30943 Mon Sep 17 00:00:00 2001
From: Myles Scolnick <myles@marimo.io>
Date: Tue, 12 May 2026 13:55:29 -0400
Subject: [PATCH 4/4] fix(ci): pin changelogithub@14.0.0 and add
 --ignore-scripts to build install

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7c809b5..aab6c78 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,7 +26,7 @@ jobs:
           cache: pnpm
 
       - name: 📥 Install dependencies
-        run: pnpm install --frozen-lockfile
+        run: pnpm install --ignore-scripts --frozen-lockfile
 
       - name: 🔍 Type Check
         run: pnpm run typecheck
@@ -115,7 +115,7 @@ jobs:
           node-version: 24
 
       - name: 📝 Update Changelog
-        run: npx changelogithub
+        run: npx changelogithub@14.0.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}