From 0e0b0f136220e266a62871972a98a7c64402ff13 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 9 Jun 2026 16:37:08 +0000
Subject: [PATCH 1/2] ci: publish via OIDC trusted publishing with provenance

Switch the release workflow from a long-lived NPM_TOKEN to npm OIDC
trusted publishing, eliminating the stored token entirely.

- Remove NPM_TOKEN env var and the .npmrc auth-token step; the
  id-token: write permission (already present) lets pnpm's native
  publish exchange the GitHub OIDC token for a short-lived publish
  token.
- Set registry-url so the OIDC token exchange targets npmjs.org.
- Add --provenance to pnpm publish so attestations are generated.
- Add repository field to package.json, required for provenance.

Everything in the release pipeline now runs through pnpm.
---
 .github/workflows/release.yaml | 8 ++------
 package.json                   | 4 ++++
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 51da822..931b4a4 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -12,7 +12,6 @@ permissions:
 env:
   HYPHEN_PUBLIC_API_KEY: ${{ secrets.HYPHEN_PUBLIC_API_KEY }}
   HYPHEN_APPLICATION_ID: ${{ secrets.HYPHEN_APPLICATION_ID }}
-  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
 jobs:
   build:
@@ -29,6 +28,7 @@ jobs:
       uses: actions/setup-node@v6
       with:
         node-version: 24
+        registry-url: 'https://registry.npmjs.org'
         cache: 'pnpm'
 
     - name: Install Dependencies
@@ -40,9 +40,5 @@ jobs:
     - name: Testing
       run: pnpm test:ci
 
-    - name: Set NPM Auth Token
-      run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > .npmrc
-
     - name: Publish
-      run: |
-        pnpm publish --no-git-checks --ignore-scripts --access public
+      run: pnpm publish --provenance --no-git-checks --ignore-scripts --access public
diff --git a/package.json b/package.json
index 6ea2b16..be34b3f 100644
--- a/package.json
+++ b/package.json
@@ -36,6 +36,10 @@
   ],
   "author": "Team Hyphen <hello@hyphen.ai>",
   "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/Hyphen/react-sdk.git"
+  },
   "engines": {
     "node": ">=22.12.0"
   },

From b937170f583c263bbadda2931b4c8dd4a2eaa09c Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Tue, 9 Jun 2026 17:27:19 +0000
Subject: [PATCH 2/2] ci: drop pnpm cache from setup-node in release workflow

---
 .github/workflows/release.yaml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 931b4a4..15dca0c 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -29,7 +29,6 @@ jobs:
       with:
         node-version: 24
         registry-url: 'https://registry.npmjs.org'
-        cache: 'pnpm'
 
     - name: Install Dependencies
       run: pnpm install --frozen-lockfile