From 5ac69d3f1d50ea289efa5d64dafaf9908939249c Mon Sep 17 00:00:00 2001
From: Vorflux AI <noreply@vorflux.com>
Date: Fri, 17 Apr 2026 02:05:34 +0000
Subject: [PATCH] fix: use OIDC trusted publishing instead of NPM_TOKEN

- Remove NODE_AUTH_TOKEN/NPM_TOKEN dependency (not needed with OIDC)
- Use --provenance flag directly on npm publish
- Pin node-version to 24 (npm 11.5.1+ required for OIDC trusted publishing)
- Requires trusted publisher configured on npmjs.com for this package
---
 .github/workflows/release.yml | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 47233da..4a0ad8c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,7 +20,8 @@ jobs:
       - name: Setup Node
         uses: actions/setup-node@v4
         with:
-          registry-url: "https://registry.npmjs.org"
+          node-version: '24'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Setup Bun
         uses: oven-sh/setup-bun@v2
@@ -58,8 +59,5 @@ jobs:
 
       - name: Publish
         if: steps.version-check.outputs.changed == 'true'
-        run: npm publish --access public
+        run: npm publish --access public --provenance
         working-directory: packages/code-chunk
-        env:
-          NPM_CONFIG_PROVENANCE: true
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}