Use npm trusted publishing in release workflow

stoefln · stoefln · commit 4ffe120af7f8 · 2026-03-04T10:12:44.000+08:00
diff --git a/.github/workflows/tagged_release.yaml b/.github/workflows/tagged_release.yaml
@@ -123,26 +123,5 @@ jobs:
             *.tgz
             prebuilds/**/*.node
 
-      - name: Check npm publish auth
-        id: npm-auth
-        shell: bash
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_RELEASE_PUBLISH_TOKEN }}
-        run: |
-          if [ -z "$NODE_AUTH_TOKEN" ]; then
-            echo "can_publish=false" >> "$GITHUB_OUTPUT"
-            echo "::warning::NPM_RELEASE_PUBLISH_TOKEN is not set; skipping npm publish."
-            exit 0
-          fi
-          if npm whoami >/dev/null 2>&1; then
-            echo "can_publish=true" >> "$GITHUB_OUTPUT"
-            exit 0
-          fi
-          echo "can_publish=false" >> "$GITHUB_OUTPUT"
-          echo "::warning::NPM token validation failed (expired/revoked/invalid); skipping npm publish."
-
       - name: Publish tagged release
-        if: steps.npm-auth.outputs.can_publish == 'true'
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_RELEASE_PUBLISH_TOKEN }}
+        run: npm publish --provenance
diff --git a/RUNNER-FIX-HISTORY.md b/RUNNER-FIX-HISTORY.md
@@ -393,6 +393,14 @@ This file records the CI/workflow fix iterations so another agent can continue f
       - add explicit GitHub release creation step (`softprops/action-gh-release@v2`) attaching packed tarball and prebuild `.node` artifacts.
       - add npm auth validation step (`npm whoami`) and gate `npm publish` behind successful token check.
       - when npm token is missing/invalid, emit warning and skip npm publish instead of failing whole release workflow.
+
+  ### Iteration AI (in progress)
+  - User configured npm Trusted Publishing (GitHub OIDC), so token-based npm auth gating is no longer correct.
+  - Current local fix:
+    - `.github/workflows/tagged_release.yaml`
+      - removed `NPM_RELEASE_PUBLISH_TOKEN`-based auth check step.
+      - removed conditional publish gate tied to token validation.
+      - switched publish command to `npm publish --provenance` (OIDC-compatible publish path).
 ## Current Hypothesis
   Primary remaining blocker has shifted from crash/fatal errors to CLI capability variance on the Windows runner (notably `tsv` config availability).
 
