chore: migrate publish to npm Trusted Publishing (OIDC)

[himerus]

Summary

Migrates helixir to npm Trusted Publishing (OIDC), removing the long-lived NPM_TOKEN dependency. Part of the org-wide migration in response to the npm Mini Shai-Hulud token rotation event. Pattern validated on discord-ops@0.23.3 and create-helix@0.9.5.

Changes

• Add environment: npm-publish to publish job
• Remove NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} from changesets/action env
• Keep NPM_CONFIG_PROVENANCE: 'true'
• id-token: write already present at workflow level

Why no npm-install step

helixir publishes via pnpm (pinned 9.15.9). pnpm 9.15.9 has native OIDC trusted-publishing auth — confirmed working on create-helix@0.9.5 (same pnpm version).

npm-side configuration (required before merge)

• Trusted Publisher entry on https://www.npmjs.com/package/helixir:
  • org: bookedsolidtech, repo: helixir, workflow: publish.yml, environment: npm-publish
• Verify the entry actually saved — npm's UI silently dropped create-helix's first attempt.

Note

pnpm audit reports 42 vulns (13 high). These do NOT block publish (helixir's prepublishOnly has no audit gate). PR #226 already tracks transitive-dep patching.

Test plan

• CI green
• Merge → VP PR opens → merge → publishes via OIDC
• npmjs.com shows new version with provenance + TP indicator

Summary by CodeRabbit

• Chores
  • Migrated npm package publishing to Trusted Publishing via GitHub Actions OIDC for enhanced security. No changes to package functionality.

[coderabbitai]

Warning

Rate limit exceeded

@himerus has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 34 minutes and 39 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: eaf9517d-d6a4-4208-9cba-da69d8ed3804

📥 Commits

Reviewing files that changed from the base of the PR and between c172709 and 162b1cd.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (3)

• .changeset/audit-fix-high-sev-overrides.md
• .github/workflows/ci-matrix.yml
• package.json

Walkthrough

This PR migrates npm publishing from long-lived token authentication to GitHub Actions OIDC (Trusted Publishing). The publish workflow assigns the job to the npm-publish environment for OIDC federation, removes NODE_AUTH_TOKEN from the step configuration, and documents the change as a patch release in the changeset.

Changes

Trusted Publishing Migration

Layer / File(s)	Summary
Migration documentation .changeset/trusted-publishing-migration.md	Changeset entry for helixir patch release documenting migration to Trusted Publishing via GitHub Actions OIDC, removal of NPM_TOKEN dependency, and preservation of Sigstore provenance attestation.
Workflow authentication configuration .github/workflows/publish.yml	Publish job assigned to npm-publish environment for OIDC token federation; NODE_AUTH_TOKEN removed from changesets/action@v1 step environment variables while preserving NPM_CONFIG_PROVENANCE and HUSKY settings.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• bookedsolidtech/helixir#93: Changes .github/workflows/publish.yml authentication setup around changesets/action@v1 environment variables.
• bookedsolidtech/helixir#44: Modifies npm publish workflow around the changesets release/publish pipeline configuration.
• bookedsolidtech/helixir#22: Changes GitHub Actions npm publishing authentication by modifying NODE_AUTH_TOKEN handling in the publish workflow.

Suggested labels

skip-changeset

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly and accurately summarizes the main change: migrating npm publishing to Trusted Publishing with OIDC, which is the primary objective of the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/migrate-to-trusted-publishing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}