From de6caf40a05a1c38e71e63d2ba2a84ef34cca9ac Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Fri, 12 Jun 2026 16:46:14 +0000
Subject: [PATCH] ci: migrate npm release to OIDC trusted publishing with
 provenance
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add `id-token: write` permission so the workflow can mint an OIDC token
- Set `registry-url` on setup-node and upgrade npm to the latest (>= 11.5.1),
  which is required for trusted publishing
- Publish with `--provenance` and drop the long-lived `NPM_TOKEN` secret;
  authentication is now handled via OIDC trusted publishing
- Add `repository` (plus `homepage`/`bugs`) to package.json — a public
  `repository` field matching the source repo is required to generate
  provenance attestations

https://claude.ai/code/session_016qHimevBQJsTHzBxV7B2od
---
 .github/workflows/release.yaml | 23 ++++++++++++++---------
 package.json                   |  8 ++++++++
 2 files changed, 22 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 2d061aa..3805237 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -6,7 +6,9 @@ on:
     types: [released]
 
 permissions:
-  contents: read    
+  contents: read
+  # Required for npm trusted publishing (OIDC) and provenance attestations
+  id-token: write
 
 env:
   HYPHEN_PUBLIC_API_KEY: ${{ secrets.HYPHEN_PUBLIC_API_KEY }}
@@ -31,20 +33,23 @@ jobs:
       with:
         node-version: 22
         cache: 'pnpm'
+        registry-url: 'https://registry.npmjs.org'
 
     - name: Install Dependencies
       run: pnpm install
 
-    - name: Build    
+    - name: Build
       run: pnpm build
 
-    - name: Testing    
+    - name: Testing
       run: pnpm test
 
-    - name: Publish
-      run: |
-        npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}
-        npm publish --ignore-scripts
-      env:
-        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+    # Trusted publishing (OIDC) requires npm CLI >= 11.5.1, which is newer than
+    # the version bundled with Node.js 22.
+    - name: Update npm
+      run: npm install -g npm@latest
 
+    - name: Publish
+      # No NPM_TOKEN: authentication is handled via OIDC trusted publishing.
+      # Provenance attestations are generated from the OIDC identity.
+      run: npm publish --provenance --ignore-scripts
diff --git a/package.json b/package.json
index a5ac095..e2efc31 100644
--- a/package.json
+++ b/package.json
@@ -2,6 +2,14 @@
   "name": "@hyphen/sdk",
   "version": "3.1.0",
   "description": "Hyphen SDK for Node.js",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Hyphen/nodejs-sdk.git"
+  },
+  "homepage": "https://github.com/Hyphen/nodejs-sdk#readme",
+  "bugs": {
+    "url": "https://github.com/Hyphen/nodejs-sdk/issues"
+  },
   "type": "module",
   "packageManager": "pnpm@11.6.0",
   "main": "dist/index.cjs",