ci: re-enable NPM_TOKEN fallback (OIDC test failed), bump to 0.2.8

Mlaz-code · claude · Mlaz-code · commit 808744562c0a · 2026-04-23T12:51:21.000-04:00
v0.2.7 OIDC test repeated the same 404 we saw on v0.2.5. Trusted
Publisher binding IS visible on npmjs.com but isn't authenticating
the publish — likely needs the package access mode to flip from
"Require 2FA OR token" to "Require 2FA AND disallow tokens" on the
npm UI to fully activate OIDC.

Restoring NPM_TOKEN env var until that's tested. v0.2.7 release
deleted (orphan tag). Cutting v0.2.8.

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -54,14 +54,16 @@ jobs:
         # Only publish on an actual release event. workflow_dispatch
         # runs through test+build as a dry run but must not upload.
         #
-        # Auth: Trusted Publisher (OIDC). npm picks up the GitHub OIDC
-        # token automatically when no _authToken is configured. Trust is
-        # registered at:
-        #   https://www.npmjs.com/package/@sharp-api/client/access
-        # (Trusted Publishers → Sharp-API/sharpapi-ts → publish.yml).
-        # NPM_TOKEN secret remains in the repo as a break-glass fallback
-        # (add `env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}` back if
-        # OIDC ever regresses to 404/permission-denied).
-        # --provenance emits the SLSA attestation.
+        # Auth: NPM_TOKEN secret. Trusted Publisher (OIDC) is registered
+        # at https://www.npmjs.com/package/@sharp-api/client/access but
+        # tested twice (v0.2.5, v0.2.7) — both attempts returned the
+        # 404/permission-denied mask. Likely the package access mode
+        # ("Require 2FA OR token") needs to flip to "disallow tokens" on
+        # npm.js to fully activate OIDC. Until then NPM_TOKEN is the
+        # only auth path that works. Drop NODE_AUTH_TOKEN env once OIDC
+        # is confirmed publishing on a follow-up test release.
+        # --provenance still emits the SLSA attestation.
         if: github.event_name == 'release'
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish --provenance --access public
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@sharp-api/client",
-  "version": "0.2.7",
+  "version": "0.2.8",
   "description": "Official TypeScript/JavaScript client for the SharpAPI real-time sports betting odds API",
   "type": "module",
   "main": "./dist/index.cjs",

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@sharp-api/client",`
`3`		`- "version": "0.2.7",`
	`3`	`+ "version": "0.2.8",`
`4`	`4`	`"description": "Official TypeScript/JavaScript client for the SharpAPI real-time sports betting odds API",`
`5`	`5`	`"type": "module",`
`6`	`6`	`"main": "./dist/index.cjs",`