WIP

Author: ryukzak

.github/workflows/canary-release.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     if: ${{ !contains(github.event.head_commit.message, '[skip release]') }}
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC
       contents: read
     steps:
       - name: Checkout code
@@ -40,6 +40,11 @@ jobs:
       - name: Build project
         run: bun run build
 
+      - name: Debug OIDC
+        run: |
+          echo "ACTIONS_ID_TOKEN_REQUEST_URL: $ACTIONS_ID_TOKEN_REQUEST_URL"
+          echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:0:10}..."
+
       - name: Generate canary version
         id: version
         run: |
@@ -56,14 +61,8 @@ jobs:
             pkg.version = '${{ steps.version.outputs.canary_version }}';
             require('fs').writeFileSync('package.json', JSON.stringify(pkg, null, 2));
           "
-          cat package.json
-
-      - name: Check npm authentication
-        run: npm whoami
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
-      - name: Publish canary release with OIDC
-        run: npm publish --provenance --tag canary --access public
+      - name: Publish canary release with Trusted Publishing
+        run: npm publish --provenance --access public --tag canary
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true