ci: github action as trusted publisher removes token

soyuka · soyuka · commit d40a846ceafc · 2026-02-08T23:17:14.000+01:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,5 +1,9 @@
 name: Release
 
+permissions:
+  id-token: write
+  contents: read
+
 on:
   workflow_dispatch: ~
   push:
@@ -24,6 +28,7 @@ jobs:
         with:
           node-version: 22
           cache: "pnpm"
+          registry-url: "https://registry.npmjs.org"
 
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
@@ -41,6 +46,6 @@ jobs:
         run: pnpm build
 
       - name: Publish to npm
-        run: pnpm publish --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          node -e "const p=require('./package.json'); delete p.packageManager; if(p.devEngines) delete p.devEngines.packageManager; require('fs').writeFileSync('package.json', JSON.stringify(p, null, 2))"
+          npm publish --provenance --access public
diff --git a/package.json b/package.json
@@ -76,19 +76,14 @@
     "typescript": "^5.8.3",
     "vitest": "^3.2.4"
   },
-  "packageManager": "pnpm@10.13.1+sha512.37ebf1a5c7a30d5fabe0c5df44ee8da4c965ca0c5af3dbab28c3a1681b70a256218d05c81c9c0dcf767ef6b8551eb5b960042b9ed4300c59242336377e01cfad",
+  "packageManager": "pnpm@10.29.1",
   "engines": {
     "node": ">= 20"
   },
   "publishConfig": {
     "access": "public"
   },
   "devEngines": {
-    "packageManager": {
-      "name": "pnpm",
-      "version": ">= 10.0.0",
-      "onFail": "download"
-    },
     "runtime": {
       "name": "node",
       "version": ">= 20"
