From 55b22d8e7e7d25a1a2951541b64cb902d536bc7b Mon Sep 17 00:00:00 2001
From: Karan Singh Kochar <pyrotank41@gmail.com>
Date: Sun, 21 Dec 2025 13:31:23 -0600
Subject: [PATCH 1/2] chore: switch to Trusted Publishing for npm (remove
 NPM_TOKEN)

Use OIDC-based Trusted Publishing instead of long-lived tokens.
More secure: no secrets to manage, automatic GitHub authentication.

npm will authenticate via GitHub Actions OIDC token automatically.
The 'id-token: write' permission enables this.
---
 .github/workflows/npm-publish.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 6357ad7..94e806e 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -85,11 +85,9 @@ jobs:
             echo "✅ Version $PACKAGE_VERSION is new. Ready to publish!"
           fi
       
-      # 9. Publish to npm
+      # 9. Publish to npm (using Trusted Publishing via OIDC)
       - name: Publish to npm
         run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       
       # 10. Success message
       - name: Success notification

From 018227f04d5493e7242bec2532ccd0581025499e Mon Sep 17 00:00:00 2001
From: Karan Singh Kochar <pyrotank41@gmail.com>
Date: Sun, 21 Dec 2025 14:10:47 -0600
Subject: [PATCH 2/2] workflow from npm site
 https://docs.npmjs.com/trusted-publishers#step-2-configure-your-cicd-workflow

---
 .github/workflows/npm-publish.yml | 105 +++++-------------------------
 1 file changed, 16 insertions(+), 89 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 94e806e..6aca50a 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -1,98 +1,25 @@
-name: Publish to npm
+name: Publish Package
 
 on:
-  release:
-    types: [published]
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
 
 jobs:
   publish:
     runs-on: ubuntu-latest
-    
-    permissions:
-      contents: read
-      id-token: write # Required for npm provenance
-    
     steps:
-      # 1. Checkout code
-      - name: Checkout repository
-        uses: actions/checkout@v4
-      
-      # 2. Setup Node.js
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
-      
-      # 3. Install dependencies
-      - name: Install dependencies
-        run: npm ci
-      
-      # 4. Run tests (ALL 237 tests must pass!)
-      - name: Run tests
-        run: npm test
-      
-      # 5. Build the package
-      - name: Build package
-        run: npm run build
-      
-      # 6. Validate version matches release tag
-      - name: Validate version
-        run: |
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-          RELEASE_TAG=${GITHUB_REF#refs/tags/}
-          
-          # Remove 'v' prefix if present (v2.0.0 → 2.0.0)
-          RELEASE_VERSION=${RELEASE_TAG#v}
-          
-          echo "Package version: $PACKAGE_VERSION"
-          echo "Release version: $RELEASE_VERSION"
-          
-          if [ "$PACKAGE_VERSION" != "$RELEASE_VERSION" ]; then
-            echo "❌ ERROR: Version mismatch!"
-            echo "package.json version ($PACKAGE_VERSION) does not match release tag ($RELEASE_VERSION)"
-            exit 1
-          fi
-          
-          echo "✅ Version validation passed!"
-      
-      # 7. Verify build output exists
-      - name: Verify build output
-        run: |
-          if [ ! -f "dist/index.js" ]; then
-            echo "❌ ERROR: dist/index.js not found!"
-            exit 1
-          fi
-          
-          if [ ! -f "dist/index.d.ts" ]; then
-            echo "❌ ERROR: dist/index.d.ts not found!"
-            exit 1
-          fi
-          
-          echo "✅ Build output verified!"
-      
-      # 8. Check if version already published (safety check)
-      - name: Check if version already published
-        run: |
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-          PACKAGE_NAME=$(node -p "require('./package.json').name")
-          
-          # Check npm registry
-          if npm view "$PACKAGE_NAME@$PACKAGE_VERSION" version 2>/dev/null; then
-            echo "⚠️  WARNING: Version $PACKAGE_VERSION is already published to npm!"
-            echo "This might be a re-release. Proceeding anyway..."
-          else
-            echo "✅ Version $PACKAGE_VERSION is new. Ready to publish!"
-          fi
-      
-      # 9. Publish to npm (using Trusted Publishing via OIDC)
-      - name: Publish to npm
-        run: npm publish --provenance --access public
-      
-      # 10. Success message
-      - name: Success notification
-        run: |
-          PACKAGE_VERSION=$(node -p "require('./package.json').version")
-          echo "🎉 Successfully published backpackflow@$PACKAGE_VERSION to npm!"
-          echo "📦 View package: https://www.npmjs.com/package/backpackflow"
-
+      - run: npm ci
+      - run: npm run build --if-present
+      - run: npm test
+      - run: npm publish
\ No newline at end of file