chore: add OIDC Trusted Publisher for NPM (#345)

MantisClone · Copilot · web-flow · commit d1a3ddad323f · 2025-10-28T09:20:46.000-04:00
Co-authored-by: Copilot &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/.github/workflows/npm-publish.yaml b/.github/workflows/npm-publish.yaml
@@ -8,6 +8,10 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   release-if-necessary:
     runs-on: ubuntu-latest
@@ -26,11 +30,15 @@ jobs:
           fetch-depth: 0
 
       - name: Set up Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: Install dependencies 📥
         run: npm ci
 
@@ -49,12 +57,10 @@ jobs:
         if: steps.check-release.outputs.release-type == 'stable'
         run: npm publish --workspace=${{ matrix.package }}
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.REQUEST_BOT_NPM_TOKEN }}
           VITE_WEB3MODAL_PROJECT_ID: ${{ secrets.VITE_WEB3MODAL_PROJECT_ID }}
           
       - name: Publish next version 📦
         if: steps.check-release.outputs.release-type == 'next'
         run: npm run publish-next-release --workspace=${{ matrix.package }}
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.REQUEST_BOT_NPM_TOKEN }}
           VITE_WEB3MODAL_PROJECT_ID: ${{ secrets.VITE_WEB3MODAL_PROJECT_ID }}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -33,4 +33,4 @@ Each component has its own version number. The versioning scheme we use is
 
 1. Increase the version number of a given component by running `npm version <major|minor|patch>` inside the package directory or by using the `--workspace=<package>` flag from the root directory.
 2. Create a PR.
-3. When the PR is merged, the CI will automatically publish the new version to NPM.
+3. When the PR is merged, the CI will automatically publish the new version to NPM using OIDC Trusted Publisher authentication (no manual tokens required).
diff --git a/README.md b/README.md
@@ -88,7 +88,7 @@ Run changeset version command to bump the version of the packages that have chan
 npx changeset version
 ```
 
-Push the changes to the remote repository. Once the changes are merged, the new versions will be deployed automatically.
+Push the changes to the remote repository. Once the changes are merged, the new versions will be deployed automatically using OIDC Trusted Publisher authentication.
 
-For more info about workinng with NPM workspaces see:
+For more info about working with NPM workspaces see:
 https://docs.npmjs.com/cli/v8/using-npm/workspaces
