feat(ci): integrate OIDC-enabled changesets-action fork

[GarthDB]

Summary

Replaces the custom publishing workaround (from #677) with a forked changesets-action that natively supports npm OIDC trusted publishing. This provides a cleaner, more integrated solution.

Background

After extensive debugging (PRs #671-677), we discovered that the official changesets/action doesn't support npm's OIDC trusted publishing feature (see changesets/action#515). PR #677 implemented a workaround using custom publishing steps.

This PR replaces that workaround with a properly OIDC-enabled fork.

Changes

Updated Action Reference

# Before:
uses: changesets/action@v1

# After:
uses: GarthDB/changesets-action@feat/oidc

Fork: https://github.com/GarthDB/changesets-action
Fork PR: GarthDB/changesets-action#2

Enabled OIDC Mode

with:
  commit: "chore: release"
  publish: pnpm release      # Restored - fork handles this
  oidcAuth: true             # Enable OIDC authentication

Removed Custom Publishing Workaround

Deleted the separate "Publish to npm with OIDC" step since the fork handles publishing internally with proper OIDC support.

How It Works

The forked action includes these enhancements:

1. Validates OIDC environment automatically:

   • npm version >= 11.5.1 ✅ (we have 11.6.2 via .prototools)
   • id-token: write permission ✅ (already configured)
   • No NPM_TOKEN set ✅ (removed in previous PRs)

2. Skips .npmrc creation when oidcAuth: true, allowing npm's native OIDC auto-detection to work

3. Maintains full backward compatibility with legacy NPM_TOKEN authentication

4. Provides clear error messages if OIDC requirements aren't met

Benefits

• Cleaner workflow: Publishing handled natively by changesets action
• Better integration: Can use steps.changesets.outputs.published for notifications
• Well-tested: Fork includes 26 tests validating OIDC functionality
• Secure: Uses short-lived OIDC tokens instead of long-lived secrets
• Provenance: Automatically generates cryptographic attestation

Architecture

flowchart TD
    Start[Workflow Start] --> Setup[Setup npm 11.6.2]
    Setup --> Build[Build packages]
    Build --> Fork[GarthDB/changesets-action]
    
    Fork --> Validate[Validate OIDC Environment]
    Validate --> CheckVer{npm >= 11.5.1?}
    CheckVer -->|Yes| CheckPerm{id-token: write?}
    CheckVer -->|No| Fail1[Error: Upgrade npm]
    CheckPerm -->|Yes| CheckToken{NPM_TOKEN set?}
    CheckPerm -->|No| Fail2[Error: Add permission]
    CheckToken -->|No| SkipNpmrc[Skip .npmrc creation]
    CheckToken -->|Yes| Fail3[Error: Conflicting auth]
    
    SkipNpmrc --> HasChanges{Has changesets?}
    HasChanges -->|Yes| CreatePR[Create/Update Version PR]
    HasChanges -->|No| Publish[Run pnpm release]
    
    Publish --> NpmOIDC[npm auto-detects OIDC]
    NpmOIDC --> Provenance[Publish with provenance]
    
    CreatePR --> Success[Success]
    Provenance --> Success

Loading

Testing

The fork has been tested with:

• ✅ 26 tests passing (OIDC validation + integration + existing tests)
• ✅ Type checking passes
• ✅ Build succeeds
• ✅ Backward compatibility verified

Verification

After merging, the next release will:

1. Use the forked action with OIDC enabled
2. Validate the environment automatically
3. Publish without needing NPM_TOKEN
4. Generate cryptographic provenance attestation
5. Display verified badge on npmjs.com package pages

Related

• Fork: https://github.com/GarthDB/changesets-action
• Fork PR: feat: Add OIDC trusted publishing support for npm GarthDB/changesets-action#2
• Original Issue: [Feat] separate workflow for publish to improve support for publishing w oidc changesets/action#515
• Previous workaround: fix(ci): use custom publishing to enable npm OIDC #677
• OIDC migration journey: feat(ci): migrate to npm trusted publishing with OIDC #671, fix(ci): configure changesets to skip npm auth for OIDC #672, fix(ci): create npmrc before changesets to enable OIDC #673, fix(ci): remove invalid skipNpmAuth parameter #674, fix(ci): remove auth token from npmrc to enable OIDC #675, fix(ci): configure npm 11.6.2 in prototools for OIDC support #676, fix(ci): use custom publishing to enable npm OIDC #677

[changeset-bot]

⚠️ No Changeset found

Latest commit: 13e5920

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[GarthDB]

Run report for 13e59200

Total time: 7.1ms | Comparison time: 0s | Estimated loss: 7.1ms (100.0% slower)

	Action	Time	Status	Info
🟩	SyncWorkspace	7ms	Passed

Touched files

.github/workflows/release.yml