From b1a09d5934a07968c8bc2c5402a672b58713f0d7 Mon Sep 17 00:00:00 2001
From: Jordan Ritter <jordan@copilotkit.ai>
Date: Mon, 6 Apr 2026 11:12:57 -0700
Subject: [PATCH] =?UTF-8?q?ci:=20fix=20npm=20OIDC=20publishing=20=E2=80=94?=
 =?UTF-8?q?=20update=20npm=20to=20latest,=20remove=20token=20override?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/publish-release.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index f12705e..bdae4c4 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -21,6 +21,10 @@ jobs:
           registry-url: "https://registry.npmjs.org"
       - run: pnpm install --frozen-lockfile
 
+      # Ensure npm is new enough for OIDC trusted publishing (>= 11.5.1)
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: Check if version is already published
         id: check
         run: |
@@ -35,10 +39,7 @@ jobs:
 
       - name: Build and publish
         if: steps.check.outputs.published == 'false'
-        run: |
-          # Clear the placeholder token so npm uses OIDC instead
-          npm config set //registry.npmjs.org/:_authToken ""
-          pnpm build && npm publish --access public --provenance
+        run: pnpm build && npm publish --access public
 
       - name: Ensure git tag exists
         if: steps.check.outputs.published == 'false'