From 143ecc3f79af1a3100eb4baa5a72c69b3595cf8c Mon Sep 17 00:00:00 2001
From: Andrew Fischer <andyfischer@bitgo.com>
Date: Wed, 5 Nov 2025 12:06:49 -0800
Subject: [PATCH] ci: enable OIDC trusted publishing for npm

Configure GitHub Actions workflow to use OIDC authentication instead of
NPM_TOKEN for publishing packages. This provides better security by
eliminating long-lived secrets and enables automatic provenance attestation.

Changes:
- Add publish environment and id-token: write permission
- Remove NPM_TOKEN from workflow configuration
- Keep GITHUB_TOKEN for git operations

Ticket: VL-3686
---
 .github/workflows/publish.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 7ea6e23..e60b434 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,6 +12,10 @@ jobs:
   publish:
     name: Publish Release
     runs-on: ubuntu-latest
+    environment: publish
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Checkout repository
@@ -55,9 +59,6 @@ jobs:
         run: |
           echo "workspaces-update = false" >> .npmrc
           echo "@bitgo:registry=https://registry.npmjs.org" >> .npmrc
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Install Packages
         run: npm ci --workspaces --include-workspace-root
@@ -72,4 +73,3 @@ jobs:
         run: npx lerna publish --yes --no-verify-access
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}