fix(ci): use custom publishing to enable npm OIDC

[GarthDB]

Root Cause: changesets/action Doesn't Support OIDC

After PR #676 merged (which successfully installed npm 11.6.2), publishing still failed because:

changesets/action is designed for NPM_TOKEN authentication and doesn't fully support npm's OIDC trusted publishing.

The Problem

As documented in changesets/action issue #515, the action combines two operations in one workflow:

1. Creating/updating version PRs
2. Publishing packages

When using the built-in publish parameter, changesets/action tries to manage npm authentication itself, which interferes with npm 11.6.2's OIDC auto-detection.

Evidence from Workflow Logs

Found existing user .npmrc file
Didn't find existing auth token for the npm registry in the user .npmrc file, creating one

Then:

🦋  error an error occurred while publishing: ENEEDAUTH This command requires you to be logged in

Solution: Custom Publishing

Use the "custom publishing" approach from the changesets/action README:

1. changesets/action only handles versioning and PR creation (no publish parameter)
2. Separate step runs pnpm release when hasChangesets == 'false'
3. npm 11.6.2 handles OIDC automatically without interference

Workflow Changes

- name: Create Release Pull Request
  id: changesets
  uses: changesets/action@v1
  with:
    commit: "chore: release"
  env:
    GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

# Custom publishing step - runs only when it's time to publish
- name: Publish to npm with OIDC
  if: steps.changesets.outputs.hasChangesets == 'false'
  run: pnpm release
  env:
    GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

How It Works Now

1. ✅ npm 11.6.2 installed (via .prototools from PR fix(ci): configure npm 11.6.2 in prototools for OIDC support #676)
2. ✅ changesets/action creates/updates release PRs
3. ✅ When release PR is merged (no new changesets), publish step runs
4. ✅ pnpm release → changeset publish → npm publish
5. ✅ npm 11.6.2 detects GitHub Actions OIDC environment
6. ✅ npm uses trusted publishers for authentication
7. ✅ Packages publish successfully!

Why This Works

The custom publishing approach bypasses changesets/action's authentication management, allowing npm's built-in OIDC support to work transparently. This is the recommended pattern for custom authentication setups.

References

• changesets/action: Custom Publishing
• changesets/action issue #515 - Known OIDC limitations
• npm trusted publishing docs

Related

• Builds on npm 11.6.2 installation from fix(ci): configure npm 11.6.2 in prototools for OIDC support #676
• Completes OIDC migration started in feat(ci): migrate to npm trusted publishing with OIDC #671
• Works around changesets/action OIDC limitations

[changeset-bot]

⚠️ No Changeset found

Latest commit: 69bda31

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[GarthDB]

Run report for 69bda31e

Total time: 7.4ms | Comparison time: 0s | Estimated loss: 7.4ms (100.0% slower)

	Action	Time	Status	Info
🟩	SyncWorkspace	7.3ms	Passed

Touched files

.github/workflows/release.yml