From 5c0ecf191376df406c1191d111096a8563e793ff Mon Sep 17 00:00:00 2001
From: Minkyu Cho <minkyu@greyboxhq.com>
Date: Wed, 18 Mar 2026 17:33:56 +0900
Subject: [PATCH] ci(release): migrate npm publish to OIDC provenance-based
 auth

Replace NPM_TOKEN secret with GitHub OIDC identity for npm publishing.
Add id-token: write permission and --provenance flag, upgrade Node to 22.
---
 .github/workflows/release.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 888d48d..da58547 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   check-version:
@@ -171,7 +172,7 @@ jobs:
       - name: Setup Node.js (for npm publish)
         uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
@@ -200,15 +201,13 @@ jobs:
 
       - name: Publish to npm
         run: |
-          npm publish --access public --tag ${{ steps.npm_tag.outputs.tag }} 2>&1 | tee npm-publish.log || {
+          npm publish --provenance --access public --tag ${{ steps.npm_tag.outputs.tag }} 2>&1 | tee npm-publish.log || {
             if grep -q "You cannot publish over the previously published versions" npm-publish.log; then
               echo "Version already published, skipping..."
             else
               exit 1
             fi
           }
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Calculate SHA256
         id: sha256