From 0a50b10e8b1164156297c890584387ba593129ba Mon Sep 17 00:00:00 2001
From: WellDunDun <45949032+WellDunDun@users.noreply.github.com>
Date: Mon, 23 Feb 2026 18:48:38 +0300
Subject: [PATCH] Switch npm publish workflow to trusted publishing

---
 .github/workflows/publish.yml                      | 8 +++++---
 docs/design-docs/ci-enforcement-and-risk-policy.md | 2 +-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 27450fc..d59d5b4 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -39,6 +39,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -51,13 +52,16 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://registry.npmjs.org"
 
       - name: Install dependencies
         working-directory: cli/reins
         run: bun install
 
+      - name: Verify npm version for trusted publishing
+        run: npm --version
+
       - name: Check if publish is needed
         id: check
         working-directory: cli/reins
@@ -80,8 +84,6 @@ jobs:
         if: steps.check.outputs.should_publish == 'true'
         working-directory: cli/reins
         run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Create GitHub Release
         if: steps.check.outputs.should_publish == 'true'
diff --git a/docs/design-docs/ci-enforcement-and-risk-policy.md b/docs/design-docs/ci-enforcement-and-risk-policy.md
index 4b1a09c..6958ccd 100644
--- a/docs/design-docs/ci-enforcement-and-risk-policy.md
+++ b/docs/design-docs/ci-enforcement-and-risk-policy.md
@@ -53,5 +53,5 @@ It now uses explicit regex patterns for gates like `lint`, `test`, and `typechec
 - CLI projects can satisfy the legibility observability signal with strong diagnosability evidence instead of irrelevant service observability infrastructure.
 - Lint baseline has been reduced and now passes cleanly in local checks; CI lint remains advisory until the workflow flips the gate to blocking.
 - Merges to master only publish when the merged PR already includes a new package version.
-- Requires `NPM_TOKEN` secret in GitHub repo settings for npm authentication.
+- Requires npm Trusted Publisher configuration for this GitHub repository/workflow (OIDC), not a long-lived `NPM_TOKEN`.
 - Fork PRs may still require maintainer follow-up for version bump commits.