From 00242c8b590e99add6f6c68d3bb3a83d4993d427 Mon Sep 17 00:00:00 2001
From: Christopher Tso <christso@gmail.com>
Date: Thu, 9 Apr 2026 06:11:32 +0000
Subject: [PATCH] ci: add NPM_CONFIG_PROVENANCE to trigger OIDC token exchange

Without --provenance (or NPM_CONFIG_PROVENANCE=true), npm doesn't use
the OIDC token and falls back to requiring manual auth.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/publish.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b8c285a85..b9c465612 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -43,6 +43,8 @@ jobs:
       - name: Publish to npm (next)
         if: inputs.action == 'publish-next'
         run: bun run publish:next
+        env:
+          NPM_CONFIG_PROVENANCE: true
 
       - name: Promote to latest
         if: inputs.action == 'promote-latest'