From 2f303ed2fe8eb4670a2d67789bb7e4fc89bc92f0 Mon Sep 17 00:00:00 2001
From: Cameron Banowsky <cameron@shebash.io>
Date: Fri, 23 Jan 2026 10:10:44 -0800
Subject: [PATCH] feat(ci): migrate to npm Trusted Publishers (OIDC)

- Upgrade Node.js from 18 to 24 for npm 11.5+ OIDC support
- Remove NODE_AUTH_TOKEN secret from publish step
- Use OIDC-based authentication for npm publishing
- Add --access public flag for explicit public package publishing

This eliminates the need for long-lived npm tokens and improves
supply chain security by using short-lived, workflow-specific
OIDC credentials.
---
 .github/workflows/auto-version-bump.yml |  2 +-
 .github/workflows/release-with-sbom.yml | 13 ++++++-------
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/auto-version-bump.yml b/.github/workflows/auto-version-bump.yml
index b089335..ca771d7 100644
--- a/.github/workflows/auto-version-bump.yml
+++ b/.github/workflows/auto-version-bump.yml
@@ -134,7 +134,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '24'
 
       - name: Install project dependencies
         run: npm ci
diff --git a/.github/workflows/release-with-sbom.yml b/.github/workflows/release-with-sbom.yml
index 1c1a426..5c12312 100644
--- a/.github/workflows/release-with-sbom.yml
+++ b/.github/workflows/release-with-sbom.yml
@@ -279,7 +279,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
@@ -323,7 +323,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '24'
 
       - name: Install dependencies
         run: npm ci
@@ -487,7 +487,7 @@ jobs:
       - name: Setup Node.js for publishing
         uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Create GitHub Release
@@ -521,12 +521,11 @@ jobs:
           npx tsc --version
           npx tsc --listFiles
 
-          echo "Publishing to NPM with provenance and SBOM metadata"
-          npm publish --provenance
+          echo "Publishing to NPM with provenance (using OIDC Trusted Publisher)"
+          npm publish --provenance --access public
 
           echo "NPM publish complete"
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        # No NODE_AUTH_TOKEN needed - using npm Trusted Publishers (OIDC)
 
       - name: Release complete
         run: |