Add trusted publishing

[ericglau]

Summary

Add npm trusted publishing support to the publish workflow while keeping NPM_TOKEN fallback for first-time publishes of new packages.

Changes

• Add registry-url: 'https://registry.npmjs.org' to the shared setup action so setup-node writes npm config for the npm registry and publish auth is wired correctly.
• Add id-token: write to .github/workflows/publish.yml so GitHub Actions can mint the OIDC token required by npm trusted publishing.
• Install npm@11.12.1 in the publish workflow because trusted publishing requires npm 11.5.1+, while the default npm on Node 22 is older.
• Switch publish auth from NPM_TOKEN to NODE_AUTH_TOKEN because setup-node writes .npmrc using ${NODE_AUTH_TOKEN}, which is the env var npm will actually read.
• Add NPM_CONFIG_PROVENANCE: true so provenance is generated consistently, including when the workflow falls back to token-based publish.

Notes

• Keeps NPM_TOKEN fallback for new packages that do not yet have a trusted publisher configured.

[tirumerla]

Not sure if we still need the token, otherwise lgtm

[tirumerla]

Do we still need the TOKEN?

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7c8d3b9f-6033-4d08-bce1-998e6c5f0865

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

GitHub Actions configuration updates enable OIDC-based trusted publishing for npm packages. The setup action now configures the npm registry URL. The publish workflow installs npm@11.12.1, detects new packages in Yarn workspaces, and conditionally exports authentication tokens for publishing operations.

Changes

Cohort / File(s)	Summary
Setup Action .github/actions/setup/action.yml	Added registry-url input to actions/setup-node step, configured to use https://registry.npmjs.org.
Publish Workflow .github/workflows/publish.yml	Added id-token: write permissions for OIDC support, installed npm@11.12.1, added workspace package detection logic, and implemented conditional NODE_AUTH_TOKEN export when new packages are detected. Changed changesets action to use NPM_CONFIG_PROVENANCE: true instead of passing NPM_TOKEN.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Add trusted publishing' directly matches the main objective of the PR: implementing npm trusted publishing (OIDC-based) in the publish workflow.
Description check	✅ Passed	The description comprehensively covers the changeset, explaining the key modifications to both the setup action and publish workflow, the rationale for each change, and the NPM_TOKEN fallback strategy.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch oidc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

.github/workflows/publish.yml (1)

50-66: ⚠️ Potential issue | 🟠 Major

Upgrade changesets/action to v1.6.0+ to enable OIDC-aware authentication.

The workflow uses changesets/action@v1.5.3, which lacks OIDC-aware logic added in v1.6.0+. When has_new_packages is true, NODE_AUTH_TOKEN is set in the job environment, and v1.5.3 will use this token for all packages in the subsequent publish: npm run publish invocation—including existing packages that could use OIDC trusted publishing. Upgrading to v1.6.0 or later enables the action to skip token configuration when OIDC conditions are met, allowing existing packages to publish via OIDC while only new packages (or those requiring token fallback) use NPM_TOKEN.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yml around lines 50 - 66, The workflow step using
changesets/action pinned as
changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba (v1.5.3) should be
updated to v1.6.0 or later so the action can perform OIDC-aware authentication;
change the step with id "changesets" (the "Create Prepare Release PR or Publish"
step) to use a v1.6.0+ reference, and keep the existing
NODE_AUTH_TOKEN/NPM_TOKEN logic and has_new_packages conditional intact so the
action will skip injecting the token when OIDC is available and only fall back
to NPM_TOKEN when necessary.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 35-49: The script currently treats any failure of the npm view
command as a new-package signal; change the loop that runs npm view "$pkg" so it
captures stderr/exit status and only treats definite 404 responses (e.g., stderr
contains "404" / "Not Found" / "E404") as a new package to append to
"$RUNNER_TEMP/new_packages.txt"; for any other non-404 failure (timeouts, 5xx,
rate limits, network errors) have the step exit non-zero (fail) with an error
message so the workflow doesn’t silently switch to token publishing. Update the
logic around the npm view call and the determination of has_new_packages to
reflect this behavior while still writing to "$RUNNER_TEMP/new_packages.txt"
only for true 404s.

---

Outside diff comments:
In @.github/workflows/publish.yml:
- Around line 50-66: The workflow step using changesets/action pinned as
changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba (v1.5.3) should be
updated to v1.6.0 or later so the action can perform OIDC-aware authentication;
change the step with id "changesets" (the "Create Prepare Release PR or Publish"
step) to use a v1.6.0+ reference, and keep the existing
NODE_AUTH_TOKEN/NPM_TOKEN logic and has_new_packages conditional intact so the
action will skip injecting the token when OIDC is available and only fall back
to NPM_TOKEN when necessary.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 464b403d-d857-4a0a-b7c9-2f87dec0ef89

📥 Commits

Reviewing files that changed from the base of the PR and between b907a53 and 85aec59.

📒 Files selected for processing (2)

• .github/actions/setup/action.yml
• .github/workflows/publish.yml

[pasevin]

lgtm