From 801968cca52091519f2810f84c5d350a6b400ef9 Mon Sep 17 00:00:00 2001
From: Jordan Ritter <jordan@copilotkit.ai>
Date: Mon, 6 Apr 2026 10:54:31 -0700
Subject: [PATCH] ci: switch npm publish to OIDC trusted publishing (no token
 needed)

---
 .github/workflows/publish-release.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 3e219f6..30f65dc 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -7,6 +7,9 @@ jobs:
   release:
     runs-on: ubuntu-latest
     environment: npm
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with: { fetch-depth: 0 }
@@ -32,10 +35,7 @@ jobs:
 
       - name: Build and publish
         if: steps.check.outputs.published == 'false'
-        run: pnpm release
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: pnpm build && npm publish --access public --provenance
 
       - name: Ensure git tag exists
         if: steps.check.outputs.published == 'false'
@@ -50,7 +50,6 @@ jobs:
         if: steps.check.outputs.published == 'false'
         run: |
           TAG="v${{ steps.check.outputs.version }}"
-          # --verify-tag ensures the tag exists before creating the release
           gh release create "${TAG}" --generate-notes --title "${TAG}" --verify-tag
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}