ci: switch publish workflow to npm trusted publishing

[ymc9]

Summary

• Switch the publish workflow to npm OIDC trusted publishing (drops NPM_TOKEN, adds id-token: write and NPM_CONFIG_PROVENANCE).
• Bump Node to 24.x so the bundled npm (11.x) supports trusted publishing without an extra npm install -g npm@latest step.

Test plan

• Trusted publisher config exists on each @zenstackhq/* package (see scripts/setup-trusted-publishers.sh).
• Trigger the workflow on main and confirm publish + provenance succeeds without NPM_TOKEN.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Enhanced release workflow security and reliability with updated build tooling and provenance generation for published packages.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 87cb2291-d91a-4487-89b6-07fda86627f5

📥 Commits

Reviewing files that changed from the base of the PR and between 97d674e and de3d483.

📒 Files selected for processing (1)

• .github/workflows/publish-release.yml

---

📝 Walkthrough

Walkthrough

The publish-release workflow is updated to modernize its security and runtime configuration. The job now requests OIDC token permissions, the Node.js environment is upgraded to 24.x, and npm authentication switches from secrets-based tokens to provenance generation.

Changes

Release Workflow Security and Runtime

Layer / File(s)	Summary
Release workflow security and runtime updates .github/workflows/publish-release.yml	Workflow permissions block adds id-token: write for OIDC token issuance. Node.js setup upgrades from 22.x to 24.x. Package publishing step replaces NODE_AUTH_TOKEN secret with NPM_CONFIG_PROVENANCE: 'true' environment variable.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 A workflow hops to Node twenty-four,
OIDC tokens unlock the secure door,
Provenance builds the trust we adore,
Release packages safe, forevermore! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: switching the publish workflow to use npm OIDC trusted publishing instead of NPM_TOKEN authentication.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/trusted-publishing

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @ymc9's task —— View job

---

Code Review Complete ✅

Todo List

• Read and analyze workflow file changes
• Review npm trusted publishing implementation
• Check Node.js version bump rationale
• Assess security implications
• Evaluate test coverage approach
• Provide comprehensive feedback

Review Feedback

✅ Excellent Implementation

The switch to npm trusted publishing is well-executed and follows best practices:

Correct Changes Made:

1. Added id-token: write permission (.github/workflows/publish-release.yml:14) - Required for OIDC token access
2. Replaced token-based auth with provenance (.github/workflows/publish-release.yml:59) - NPM_CONFIG_PROVENANCE: 'true' instead of NODE_AUTH_TOKEN
3. Node.js version bump to 24.x (.github/workflows/publish-release.yml:32) - Ensures npm 11.x which supports trusted publishing natively

🔒 Security Improvements

• Eliminates secret management: No more NPM_TOKEN in repository secrets
• OIDC-based authentication: More secure than long-lived tokens
• Provenance attestation: Adds supply chain security with verifiable build artifacts
• Principle of least privilege: Only grants id-token: write when needed

⚡ Performance & Operational Benefits

• Simplified setup: No manual token rotation required
• Better audit trail: OIDC tokens provide detailed context about the publishing source
• Native npm support: Node 24.x includes npm 11.x with built-in trusted publishing support

📋 Test Coverage Assessment

Strengths in Test Plan:

• Manual verification approach is appropriate for CI/CD changes
• Covers the two critical validation points (config existence + workflow execution)

Suggestions for Improvement:

1. Missing trusted publisher setup script: The PR references scripts/setup-trusted-publishers.sh but this file doesn't exist in the codebase
2. Package verification: Consider adding a step to verify all @zenstackhq/* packages have trusted publisher configuration
3. Rollback plan: Document how to revert if trusted publishing fails

🔍 Minor Observations

Good practices maintained:

• Consistent formatting and structure
• Proper use of environment variables
• Maintained existing workflow behavior (triggers, steps, etc.)

Code quality:

• Clean, minimal changes that achieve the goal
• No unnecessary modifications to unrelated workflow parts

📋 Recommended Next Steps

1. Create the referenced scripts/setup-trusted-publishers.sh script for documentation
2. Verify trusted publisher configuration exists for all packages before merging
3. Test the workflow on a non-production branch first if possible

🎯 Overall Assessment

This is a high-quality implementation of npm trusted publishing. The changes are minimal, focused, and follow security best practices. The approach eliminates secret management overhead while improving supply chain security through provenance attestation.

Recommendation: Approved ✅

---