Use npm trusted publishing in release workflow

[WellDunDun]

Summary

Converts npm publishing to Trusted Publishing (OIDC) so releases can run in GitHub Actions without interactive OTP.
Also updates the design doc to reflect the new auth requirement.

Changes

• Updated .github/workflows/publish.yml:
  • added id-token: write permission for the publish job
  • removed NODE_AUTH_TOKEN/NPM_TOKEN usage
  • bumped actions/setup-node to Node 24 (npm 11+ compatible for trusted publishing)
  • added an npm version check step for visibility
• Updated docs/design-docs/ci-enforcement-and-risk-policy.md to document Trusted Publisher requirement.

Testing

• bun test passes
• bun src/index.ts audit ../.. score maintained or improved
• No new external dependencies added

Audit Impact

No scoring logic changes. Self-audit remains 18/18 (L4: Self-Correcting).

Summary by CodeRabbit

• Chores

  • Upgraded Node.js runtime from version 20 to 24 in the CI/CD pipeline.
  • Implemented OIDC-based trusted publishing for npm package releases.
  • Added npm version verification step to the publish workflow.

• Documentation

  • Updated documentation to reflect changes to npm authentication configuration.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

[coderabbitai]

📝 Walkthrough

Walkthrough

The changes transition npm publishing authentication from token-based (NPM_TOKEN environment variable) to OIDC-based trusted publisher configuration, while updating Node.js runtime version to 24 and adding npm version verification steps in the CI workflow.

Changes

Cohort / File(s)	Summary
CI/CD Workflow Updates .github/workflows/publish.yml	Adds OIDC permission (id-token: write), upgrades Node.js from version 20 to 24, introduces npm version verification step, and removes NODE_AUTH_TOKEN environment variable in favor of trusted publisher authentication.
Documentation docs/design-docs/ci-enforcement-and-risk-policy.md	Updates authentication requirement from long-lived NPM_TOKEN secret to npm Trusted Publisher configuration via OIDC in the Consequences section.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: converting npm publishing to use Trusted Publishing (OIDC) instead of traditional token-based authentication.
Description check	✅ Passed	The description follows the template structure with all required sections completed: Summary, Changes, Testing checklist, and Audit Impact.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch WellDunDun/publish-trusted-oidc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

.github/workflows/publish.yml (2)

62-64: Consider validating minimum npm version.

The step prints the npm version for visibility but doesn't validate that it meets the minimum requirements for trusted publishing (npm 9.5.0+). This is a minor enhancement.

♻️ Optional: Add version validation

       - name: Verify npm version for trusted publishing
-        run: npm --version
+        run: |
+          NPM_VERSION=$(npm --version)
+          echo "npm version: $NPM_VERSION"
+          # npm 9.5.0+ required for provenance
+          if ! npx semver -r '>=9.5.0' "$NPM_VERSION" >/dev/null 2>&1; then
+            echo "::warning::npm version $NPM_VERSION may not support trusted publishing"
+          fi

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yml around lines 62 - 64, The current workflow
step "Verify npm version for trusted publishing" only prints the npm version via
"npm --version"; replace it with a validation that enforces a minimum of npm
9.5.0 and fails the job if unmet. Modify the step to capture the version and
compare it to "9.5.0" (e.g., using a short Node/JS semver check or a shell
semver utility) and exit non-zero when the installed version is lower, so the
action halts on unsupported npm versions.

---

53-56: Consider using Node.js 22 LTS instead of Node.js 24.

npm 11 requires Node.js ^20.17.0 || >=22.9.0. While Node.js 24 is now stable for production (entered Active LTS in October 2025), Node.js 22 LTS would be a more conservative and sufficient choice for npm trusted publishing, as it fully satisfies npm 11 requirements.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/publish.yml around lines 53 - 56, The workflow uses
actions/setup-node@v4 with node-version: "24", but npm 11 constraints recommend
using Node.js 22 LTS; update the node-version value in the publish GitHub
Actions step (the actions/setup-node@v4 configuration) from "24" to the Node 22
LTS string (e.g., "22" or a specific 22.x LTS pin) so the action runs with Node
22 while leaving registry-url unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/publish.yml:
- Around line 62-64: The current workflow step "Verify npm version for trusted
publishing" only prints the npm version via "npm --version"; replace it with a
validation that enforces a minimum of npm 9.5.0 and fails the job if unmet.
Modify the step to capture the version and compare it to "9.5.0" (e.g., using a
short Node/JS semver check or a shell semver utility) and exit non-zero when the
installed version is lower, so the action halts on unsupported npm versions.
- Around line 53-56: The workflow uses actions/setup-node@v4 with node-version:
"24", but npm 11 constraints recommend using Node.js 22 LTS; update the
node-version value in the publish GitHub Actions step (the actions/setup-node@v4
configuration) from "24" to the Node 22 LTS string (e.g., "22" or a specific
22.x LTS pin) so the action runs with Node 22 while leaving registry-url
unchanged.

---

ℹ️ Review info

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4ee51b7 and 0a50b10.

📒 Files selected for processing (2)

• .github/workflows/publish.yml
• docs/design-docs/ci-enforcement-and-risk-policy.md