From e742a9da4fd7786cc3d87b9684a25f35e7484708 Mon Sep 17 00:00:00 2001
From: Kurt Overmier <kurt@stackbilt.dev>
Date: Sat, 18 Apr 2026 06:40:45 -0500
Subject: [PATCH] =?UTF-8?q?ci(release):=20drop=20token=20plumbing=20?=
 =?UTF-8?q?=E2=80=94=20OIDC=20trusted=20publishers=20only?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause of the v0.12.0 E404 on adf: actions/setup-node's
registry-url option writes ~/.npmrc with
`//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}`, which makes
npm CLI prefer token auth for the PUT request — even with
--provenance flag and trusted publishers configured for the
package. With NPM_TOKEN now revoked on the account side, the
token string is dead, the publish PUT returns 404 (npm's stealth
rejection for unauthorized write).

Fix:
1. Drop `registry-url` from setup-node — prevents .npmrc generation.
2. Drop `NODE_AUTH_TOKEN` env from the publish step — nothing reads it.

With neither present, npm CLI sees `id-token: write` +
`--provenance` + trusted publisher configured on each package,
and uses OIDC for both provenance signing AND publish auth.

The NPM_TOKEN repo secret becomes irrelevant after this change
and can be deleted in a follow-up PR.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2f381be..33f0d39 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -107,11 +107,13 @@ jobs:
 
       - uses: pnpm/action-setup@fc06bc1257f339d1d5d8b3a19a8cae5388b55320 # v4.4.0
 
+      # No registry-url: setup-node would otherwise write ~/.npmrc with a
+      # _authToken line, which makes npm CLI prefer token auth over the
+      # OIDC flow that trusted publishers require.
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: '20'
           cache: 'pnpm'
-          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -136,7 +138,7 @@ jobs:
           done
           if [[ $FAIL -ne 0 ]]; then exit 1; fi
 
+      # Auth is OIDC via npm trusted publishers — no NPM_TOKEN needed.
+      # See: https://docs.npmjs.com/trusted-publishers
       - name: Publish to npm
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish --workspaces --access public --provenance