From 1ce7fcc0eda21417317546b1c83ac7d766d2ba84 Mon Sep 17 00:00:00 2001
From: Joe Fusco <hello@josephfus.co>
Date: Thu, 12 Feb 2026 07:01:01 -0500
Subject: [PATCH] ci: migrate to npm OIDC trusted publishing

Replace NPM_TOKEN with OIDC authentication for npm publishing:
- Add id-token permission for OIDC authentication
- Upgrade to Node.js 22.x (includes npm with OIDC support)
- Remove .npmrc creation step and NPM_TOKEN references
- Add publishConfig with provenance to all published packages
---
 .github/workflows/release-packages.yml   | 19 ++++++++-----------
 packages/block-editor-utils/package.json |  4 ++++
 packages/blocks/package.json             |  4 ++++
 packages/faustwp-cli/package.json        |  4 ++++
 packages/faustwp-core/package.json       |  4 ++++
 5 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/release-packages.yml b/.github/workflows/release-packages.yml
index d3b60a661..fc0b99f50 100644
--- a/.github/workflows/release-packages.yml
+++ b/.github/workflows/release-packages.yml
@@ -5,6 +5,11 @@ on:
     branches:
       - canary
 
+permissions:
+  contents: write      # For creating releases/tags
+  pull-requests: write # For creating version PRs
+  id-token: write      # For npm OIDC authentication
+
 jobs:
   release_packages:
     name: Release Packages
@@ -16,22 +21,15 @@ jobs:
           # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
 
-      - name: Setup Node.js 18.x
+      - name: Setup Node.js 22.x
         uses: actions/setup-node@v4
         with:
-          node-version: 18.x
+          node-version: 22.x
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install Dependencies
         run: npm ci
 
-      - name: Create .npmrc
-        run: |
-          cat << EOF > "$HOME/.npmrc"
-            //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          EOF
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
@@ -41,7 +39,6 @@ jobs:
           version: npm run version
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Save Plugin version
         run: |
           json=${{ toJSON(steps.changesets.outputs.publishedPackages) }}
diff --git a/packages/block-editor-utils/package.json b/packages/block-editor-utils/package.json
index a0c37ec55..4b2ee3305 100644
--- a/packages/block-editor-utils/package.json
+++ b/packages/block-editor-utils/package.json
@@ -58,5 +58,9 @@
 	"engines": {
 		"node": ">=18",
 		"npm": ">=8"
+	},
+	"publishConfig": {
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/blocks/package.json b/packages/blocks/package.json
index e4cec2ab9..4cfe46314 100644
--- a/packages/blocks/package.json
+++ b/packages/blocks/package.json
@@ -43,5 +43,9 @@
   "engines": {
     "node": ">=18",
     "npm": ">=8"
+  },
+  "publishConfig": {
+    "access": "public",
+    "provenance": true
   }
 }
diff --git a/packages/faustwp-cli/package.json b/packages/faustwp-cli/package.json
index c6d3eadb0..57a08986b 100644
--- a/packages/faustwp-cli/package.json
+++ b/packages/faustwp-cli/package.json
@@ -59,5 +59,9 @@
 	"engines": {
 		"node": ">=18",
 		"npm": ">=8"
+	},
+	"publishConfig": {
+		"access": "public",
+		"provenance": true
 	}
 }
diff --git a/packages/faustwp-core/package.json b/packages/faustwp-core/package.json
index 103a4c741..8558911e9 100644
--- a/packages/faustwp-core/package.json
+++ b/packages/faustwp-core/package.json
@@ -98,5 +98,9 @@
 	"engines": {
 		"node": ">=18",
 		"npm": ">=8"
+	},
+	"publishConfig": {
+		"access": "public",
+		"provenance": true
 	}
 }