From 15cfccbfbaa3fc9ed380e44a0c9a7ecd6442005a Mon Sep 17 00:00:00 2001
From: Doug Richar <drichar@gmail.com>
Date: Wed, 14 Jan 2026 15:53:25 -0500
Subject: [PATCH] fix(ci): switch to npm trusted publishing for automated
 releases

Replace NPM_TOKEN-based authentication with OIDC trusted publishing,
which bypasses 2FA requirements and eliminates the need for long-lived
npm tokens. This is the recommended modern approach for npm publishing
from GitHub Actions.

Changes:
- Remove NPM_TOKEN from release workflow environment
- Add npm audit signatures step for security verification
- Enable provenance in package.json publishConfig
---
 .github/workflows/release.yml  | 4 +++-
 packages/haystack/package.json | 3 ++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e39e804..479a97f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -38,10 +38,12 @@ jobs:
       - name: Run CI checks
         run: pnpm run ci
 
+      - name: Verify dependency signatures
+        run: npm audit signatures
+
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           GIT_AUTHOR_NAME: github-actions[bot]
           GIT_AUTHOR_EMAIL: github-actions[bot]@users.noreply.github.com
           GIT_COMMITTER_NAME: github-actions[bot]
diff --git a/packages/haystack/package.json b/packages/haystack/package.json
index 5b6d2ab..9d19c0f 100644
--- a/packages/haystack/package.json
+++ b/packages/haystack/package.json
@@ -40,7 +40,8 @@
   },
   "types": "./dist/index.d.mts",
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "engines": {
     "node": ">=20"