From 9f8d468718e261f99df70414e9bee38d6de957d6 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 21 Jun 2026 00:00:27 +0000
Subject: [PATCH 1/4] ci: migrate npm release to OIDC trusted publishing

Replace the long-lived NPM_TOKEN secret with npm's OIDC trusted
publishing:

- Add id-token: write permission required for OIDC token exchange
- Upgrade npm to latest to ensure trusted publishing support
  (requires npm >= 11.5.1)
- Drop the _authToken config and NPM_TOKEN env; npm publish now
  authenticates to the registry via OIDC

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM
---
 .github/workflows/release.yaml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 03336b8..0edc679 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 env:
   HYPHEN_PUBLIC_API_KEY: ${{ secrets.HYPHEN_PUBLIC_API_KEY }}
@@ -32,6 +33,9 @@ jobs:
     - name: Enable Corepack
       run: corepack enable
 
+    - name: Update npm
+      run: npm install -g npm@latest
+
     - name: Install Dependencies
       run: pnpm install
 
@@ -42,8 +46,4 @@ jobs:
       run: pnpm test:ci
 
     - name: Publish
-      run: |
-        npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}
-        npm publish --ignore-scripts --access public
-      env:
-        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+      run: npm publish --ignore-scripts --access public

From 9454d6c19dae72bab7c6c36ebda6ce5ba5217871 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 21 Jun 2026 00:05:00 +0000
Subject: [PATCH 2/4] build: add repository metadata for OIDC trusted
 publishing

npm trusted publishing requires the package's repository.url to match
the GitHub repository, otherwise the OIDC publish handshake fails.
package.json had no repository field, so add repository, bugs, and
homepage pointing at Hyphen/browser-sdk.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM
---
 package.json | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/package.json b/package.json
index 1e4b17a..e019a02 100644
--- a/package.json
+++ b/package.json
@@ -35,6 +35,14 @@
   ],
   "author": "Team Hyphen <hello@hyphen.ai>",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Hyphen/browser-sdk.git"
+  },
+  "bugs": {
+    "url": "https://github.com/Hyphen/browser-sdk/issues"
+  },
+  "homepage": "https://github.com/Hyphen/browser-sdk#readme",
   "devDependencies": {
     "@biomejs/biome": "^2.5.0",
     "@faker-js/faker": "^10.5.0",

From 6ddb5862b1ca79a8af6f188abdf3b90db3d666f5 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 21 Jun 2026 17:54:06 +0000
Subject: [PATCH 3/4] ci: use pnpm for release setup and publish

Address review feedback to standardize on pnpm:

- Publish with pnpm publish (OIDC trusted publishing) instead of npm
- Drop the npm upgrade step; pnpm is provided by pnpm/action-setup
- Remove the redundant corepack enable step now that pnpm/action-setup
  installs pnpm

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM
---
 .github/workflows/release.yaml | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 0edc679..43ed56c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -30,12 +30,6 @@ jobs:
         node-version: 24
         cache: 'pnpm'
 
-    - name: Enable Corepack
-      run: corepack enable
-
-    - name: Update npm
-      run: npm install -g npm@latest
-
     - name: Install Dependencies
       run: pnpm install
 
@@ -46,4 +40,4 @@ jobs:
       run: pnpm test:ci
 
     - name: Publish
-      run: npm publish --ignore-scripts --access public
+      run: pnpm publish --ignore-scripts --no-git-checks --access public

From d2e7099f7f5058d5f515e8ba559255b2d1b6052c Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 21 Jun 2026 17:56:17 +0000
Subject: [PATCH 4/4] ci: remove pnpm cache from setup-node

Per review feedback, drop the cache: 'pnpm' option from the Node.js
setup step in the release workflow.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_019zx7bvzz1yUn36wLtyynxM
---
 .github/workflows/release.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 43ed56c..7d0df44 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -28,7 +28,6 @@ jobs:
       uses: actions/setup-node@v6
       with:
         node-version: 24
-        cache: 'pnpm'
 
     - name: Install Dependencies
       run: pnpm install