test(ci): bypass proto shims to test OIDC compatibility

[GarthDB]

Purpose

This PR tests if npm OIDC authentication works when we completely bypass proto/moonrepo shims.

The Question

After extensive testing with v1.6.4 through v1.6.8, we've confirmed:

• ✅ OIDC environment variables ARE present in GitHub Actions (PR test(ci): verify OIDC environment variables are available in shell #687)
• ✅ npm 11.6.2 is installed correctly
• ✅ Trusted publishers are configured for all packages
• ✅ GarthDB/changesets-action@v1.6.8 explicitly passes OIDC env vars
• ❌ npm still fails with ENEEDAUTH through proto shim chain

This test answers: Is proto the blocker?

Changes in This PR

Before (with proto):

- uses: moonrepo/setup-toolchain@v0  # Uses proto shims for npm, pnpm, moon

After (bypassing proto):

- uses: actions/setup-node@v4
  with:
    node-version: '20.17.0'
- run: npm install -g npm@11.6.2      # Direct install, no shim
- run: npm install -g pnpm@10.17.1    # Direct install, no shim
- run: npm install -g @moonrepo/cli@1.39.1  # Direct install, no shim

Still using:

• GarthDB/changesets-action@v1.6.8 with oidcAuth: true
• Same build and publish commands
• Same OIDC configuration

Expected Outcomes

✅ If This Works (npm publishes successfully)

Confirmed: Proto shims are blocking OIDC variable inheritance

Options:

1. Use this approach for releases - Install tools directly in release workflow only
2. File bug with proto/moonrepo - Request OIDC support in shims
3. Hybrid approach - Use proto for dev, direct install for CI/CD

Your fork still works! GarthDB/changesets-action@v1.6.8 is correctly passing env vars, proto was just blocking them.

❌ If This Fails (still ENEEDAUTH)

Confirmed: Issue is NOT proto shims

Options:

1. Deep dive OIDC config - Something else is misconfigured
2. Fall back to NPM_TOKEN - Use traditional authentication
3. Contact npm support - Possible npm OIDC bug

Why This Is a Good Test

• Isolates the variable: Only changes toolchain installation method
• Keeps OIDC logic: Still uses v1.6.8 with explicit env passing
• Minimal impact: Only affects release workflow, not dev environment
• Reversible: Easy to revert if it doesn't work

Process Flow (Without Proto)

GitHub Actions (OIDC vars available)
  ↓
changesets-action (passes OIDC vars explicitly)
  ↓
pnpm release (direct binary, no shim)
  ↓
changeset publish
  ↓
npm publish (direct binary, no shim)
  ↓
npm detects OIDC and authenticates ✅ (hopefully!)

Notes

• This only affects the release workflow - dev environment still uses proto
• All tool versions match what's configured in .prototools and .moon/toolchain.yml
• If this works, we can decide whether to keep it or pursue proto fixes

Testing

Merge to main and watch the release workflow. Look for:

• No ENEEDAUTH errors
• Successful package publishes
• "Successfully published with provenance" messages

References

• PR test(ci): verify OIDC environment variables are available in shell #687: Confirmed OIDC vars present in shell
• PR fix(ci): use changesets-action v1.6.8 with explicit OIDC env passing #688: v1.6.8 failed with proto shims
• npm Trusted Publishing docs
• Proto issue tracking OIDC (to be filed if proto is confirmed as blocker)

[changeset-bot]

⚠️ No Changeset found

Latest commit: b03c8bc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[GarthDB]

Run report for b03c8bc0

Total time: 6.7ms | Comparison time: 0s | Estimated loss: 6.7ms (100.0% slower)

	Action	Time	Status	Info
🟩	SyncWorkspace	6.5ms	Passed

Touched files

.github/workflows/release.yml