change publish workflow to trusted publishing

[omer-topal]

Summary by CodeRabbit

Release Notes

• Chores

  • Updated package publishing process with enhanced security measures.

• Documentation

  • Updated release and publishing documentation with revised procedures and troubleshooting guidance.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

📝 Walkthrough

Walkthrough

This PR updates the npm publishing pipeline to use OIDC-based trusted publishing instead of token-based authentication. The GitHub Actions workflow now requests OIDC tokens, installs a compatible npm version, and removes environment variable-based token injection. Release documentation is revised to explain the new trusted publisher configuration and troubleshooting steps.

Changes

npm Trusted Publishing via OIDC

Layer / File(s)	Summary
OIDC Permissions and Workflow Setup .github/workflows/publish.yml	Explicit permissions block is added granting contents: read and id-token: write to enable GitHub Actions to issue OIDC tokens for npm trusted publishing.
Node.js and npm Configuration for Trusted Publishing .github/workflows/publish.yml	Node.js setup is updated to version 22.14.0 with adjusted caching behavior, and a new installation step configures npm ^11.5.1 to support trusted publishing authentication.
Remove Token-Based Authentication .github/workflows/publish.yml	The NODE_AUTH_TOKEN/NPM_TOKEN environment variable injection is removed from the publish step, eliminating dependency on stored npm token secrets.
Release Guide and Troubleshooting Updates RELEASE.md	A new "Trusted Publisher" section documents GitHub Actions + OIDC configuration; the "Publish Workflow" steps are revised to reflect OIDC-based publishing; "Publish Failed" troubleshooting is updated with checks for trusted publisher settings and id-token: write permission; and the release checklist now verifies trusted publisher configuration instead of NPM_TOKEN validity.

Possibly Related PRs

• Permify/permify-node#407: Prior PR that modified the same publish.yml workflow to change npm publishing authentication method (token-based vs. trusted publishing approaches).

Poem

🐰 OIDC tokens hop into view,
No secrets stored, authentication's new,
Trusted publisher takes the stage—
GitHub Actions writes the page,
Safer npm on every age! 🎉

---

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title 'change publish workflow to trusted publishing' directly and accurately describes the main change—migrating from token-based to OIDC trusted publishing in the workflow.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch omer/trusted-publishing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}