From 5ea02871f895baca50963a6cfbbd449e495e3c17 Mon Sep 17 00:00:00 2001
From: lex00 <albert.a.artigues@gmail.com>
Date: Fri, 19 Jun 2026 13:14:02 -0600
Subject: [PATCH] ci(publish): pure OIDC trusted publishing (drop dead token
 path)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

@intentius/github-warden@0.2.0 is now published (bootstrapped via a local
2FA login). The org enforces 2FA so tokens hit EOTP — the token path is
dead weight. Revert publish.yml to clean pure-OIDC; future releases go
via the package's trusted-publisher record.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 23 +++++------------------
 1 file changed, 5 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 196a1b1..0b1f59b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -34,32 +34,19 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: read
-      id-token: write # enables --provenance attestation
-    env:
-      # Auth comes from an NPM_TOKEN repo secret (GitHub: Settings → Secrets and
-      # variables → Actions). Create the token at npmjs.com → Access Tokens
-      # (Granular, with read+write to the @intentius scope — or a classic
-      # Automation token). When the secret is present we publish with it; if it
-      # is ever removed we fall through to OIDC (once trusted publishing is set
-      # up for this repo).
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      id-token: write # OIDC trusted publishing (2FA-exempt; no token)
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: '22'
           cache: npm
+          # No registry-url on purpose: it would write an .npmrc with a
+          # placeholder token that 404s; without it, npm publish uses the OIDC
+          # id-token via the package's trusted-publisher record.
       - run: npm ci
       - name: Publish @intentius/github-warden
         run: |
-          set -euo pipefail
           V=$(node -e "process.stdout.write(require('./package.json').version)")
           P=$(npm view @intentius/github-warden version 2>/dev/null || echo "none")
-          if [ "$V" = "$P" ]; then
-            echo "@intentius/github-warden@$V already published, skipping"
-            exit 0
-          fi
-          if [ -n "${NPM_TOKEN:-}" ]; then
-            echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
-          fi
-          npm publish --access public --provenance
+          [ "$V" = "$P" ] && echo "@intentius/github-warden@$V already published, skipping" || npm publish --access public --provenance