fix(ci): bypass both proto and moon for OIDC testing

[GarthDB]

Problem

PR #689 failed because moon is tightly coupled to proto and requires proto shims even when installed directly via npm:

Error: proto::store::shim::missing_binary
Unable to create shims as the proto-shim binary cannot be found.

Solution

This PR bypasses both proto AND moon to test if OIDC works with direct tool installation.

Changes

Removed:

- uses: moonrepo/setup-toolchain@v0  # Proto + all shims
- run: npm install -g @moonrepo/cli  # Moon requires proto
- run: moon setup                      # Fails without proto
- run: moon run :build                 # Moon-specific command

Added:

- uses: actions/setup-node@v4          # Direct Node.js
- run: npm install -g npm@11.6.2       # Direct npm (OIDC compatible)
- run: npm install -g pnpm@10.17.1     # Direct pnpm
- run: pnpm install                    # Install dependencies
- run: node tasks/buildSpectrumTokens.js  # Direct build
- run: node tasks/buildManifest.js        # Direct build

Still using:

• GarthDB/changesets-action@v1.6.8 with oidcAuth: true

Why This Should Work

1. Only tokens has builds: Other packages have no build tasks

   • packages/component-schemas - no build
   • packages/design-system-registry - no build
   • packages/tokens - builds via node scripts

2. No shim interference: All tools are direct binaries

   • Node.js 20.17.0 (direct)
   • npm 11.6.2 (direct, OIDC compatible)
   • pnpm 10.17.1 (direct)
   • No proto shims in the chain

3. OIDC vars will pass through:

   GitHub Actions (OIDC vars available)
     ↓
   changesets-action (passes vars explicitly)
     ↓
   pnpm release (direct binary)
     ↓
   changeset publish
     ↓
   npm publish (direct binary, no shim!)
     ↓
   npm detects OIDC ✅
   

Expected Outcomes

✅ If This Works

Confirmed: Proto/moon were the OIDC blockers!

Options:

1. Keep this approach - Only affects release workflow, dev still uses proto/moon
2. Hybrid setup - Proto/moon for dev, direct install for CI/CD
3. File proto bug - Request OIDC support in proto shims

Your fork works! - GarthDB/changesets-action@v1.6.8 correctly passes OIDC vars

❌ If This Fails

Confirmed: Issue is not proto/moon

Next steps:

• Investigate deeper OIDC configuration
• Fall back to NPM_TOKEN
• Contact npm support

Trade-offs

Pros:

• ✅ Tests OIDC without any shim interference
• ✅ Minimal changes (only release workflow)
• ✅ Dev environment unchanged (still uses proto/moon)
• ✅ Faster CI (no proto/moon overhead)

Cons:

• ❌ Duplicates tool version config (in workflow + .prototools)
• ❌ Must keep versions in sync manually
• ❌ No moon caching benefits

Testing

Merge to main and watch for:

• ✅ Successful token build
• ✅ No ENEEDAUTH errors
• ✅ Packages publish with provenance
• ✅ GitHub releases created

References

• PR test(ci): bypass proto shims to test OIDC compatibility #689: Failed due to moon requiring proto
• PR fix(ci): use changesets-action v1.6.8 with explicit OIDC env passing #688: v1.6.8 failed with proto shims
• PR test(ci): verify OIDC environment variables are available in shell #687: Confirmed OIDC vars present in shell
• npm Trusted Publishing
• Tokens build tasks

[changeset-bot]

⚠️ No Changeset found

Latest commit: f79dcef

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[GarthDB]

Run report for f79dcef6

Total time: 6.9ms | Comparison time: 0s | Estimated loss: 6.9ms (100.0% slower)

	Action	Time	Status	Info
🟩	SyncWorkspace	6.8ms	Passed

Touched files

.github/workflows/release.yml