From 361bf15884c0355dc567524fb312a1e9d7995bc9 Mon Sep 17 00:00:00 2001
From: Artificium <artificium@vps-c0631845.vps.ovh.us>
Date: Sat, 18 Apr 2026 02:51:40 +0000
Subject: [PATCH] ci(release): switch publish to npm Trusted Publishing (OIDC)

Remove NODE_AUTH_TOKEN from the publish step. With a trusted publisher
configured on npmjs.com for @salishforge/memforge + this workflow, the
npm CLI authenticates via the GitHub Actions OIDC token (id-token:
write was already granted for provenance attestations).

Benefits over a long-lived token:
- No secret to rotate or leak; no 2FA bypass flag required.
- Cryptographic proof that the publish came from this specific
  workflow in this specific repository.
- Aligns with npm's recommended practice (classic Automation tokens
  are being phased out).

Requires the trusted publisher to be configured on npmjs.com BEFORE
the next release tag is pushed. Once confirmed working, the NPM_TOKEN
secret can be deleted from the repo.
---
 .github/workflows/release.yml | 14 ++++++--------
 1 file changed, 6 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 777fb6e..850b1cd 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,16 +28,14 @@ jobs:
           registry-url: "https://registry.npmjs.org"
       - run: npm ci
       - run: npm run build
-      # Bootstrap publish auth: NODE_AUTH_TOKEN (Classic Automation token).
-      # @salishforge/memforge does not exist on npm yet, so Trusted Publishing
-      # cannot be configured for it — trusted publishers are attached to an
-      # existing package on npmjs.com. After the first publish succeeds, swap
-      # this step to OIDC by removing NODE_AUTH_TOKEN (id-token: write is
-      # already granted for provenance attestations).
+      # Auth via npm Trusted Publishing (OIDC). The package exists on npm
+      # as of v3.0.0-beta.3, so a trusted publisher can be configured for
+      # it on npmjs.com (Packages → @salishforge/memforge → Settings →
+      # Trusted publishing). Once configured, no NODE_AUTH_TOKEN is needed:
+      # npm CLI uses the GitHub Actions OIDC token (id-token: write, above)
+      # to authenticate directly.
       - name: Publish package
         run: npm publish --access public --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
   github-release:
     name: Create GitHub Release