From 7d9c2d3a00ba2607e78d2714ea8aea66a0320e3a Mon Sep 17 00:00:00 2001
From: Ryan Carniato <ryansolid@gmail.com>
Date: Thu, 11 Jun 2026 19:51:19 -0700
Subject: [PATCH 1/4] ci: switch release workflow to npm trusted publishing
 (OIDC)

npm now enforces 2FA on legacy token publishes, causing EOTP failures in
CI. Use OIDC trusted publishing instead: grant id-token permission,
upgrade npm to >= 11.5.1, and drop the NPM_PUBLISH_TOKEN secret.
---
 .github/workflows/release.yml | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e07798c84..076dcbd25 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,13 +8,18 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write # Required for npm trusted publishing (OIDC)
+
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - uses: pnpm/action-setup@v3
 
@@ -25,6 +30,10 @@ jobs:
           registry-url: "https://registry.npmjs.org"
           cache: "pnpm"
 
+      # Trusted publishing requires npm >= 11.5.1; Node 22 bundles npm 10.x
+      - name: Update npm for trusted publishing
+        run: npm install -g npm@latest
+
       - name: Install Dependencies
         run: pnpm i --frozen-lockfile
 
@@ -37,5 +46,6 @@ jobs:
           commit: "chore: release"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+          # Empty token keeps changesets/action happy while npm authenticates via OIDC
+          # https://github.com/changesets/changesets/issues/1152
+          NPM_TOKEN: ""

From 0bcd4c368b73fc3f4a461a28f981537f8fe39aef Mon Sep 17 00:00:00 2001
From: Ryan Carniato <ryansolid@gmail.com>
Date: Thu, 11 Jun 2026 19:54:11 -0700
Subject: [PATCH 2/4] ci: drop NPM_TOKEN entirely, changesets/action >= 1.7
 supports tokenless OIDC publish

---
 .github/workflows/release.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 076dcbd25..f57e4d090 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -46,6 +46,3 @@ jobs:
           commit: "chore: release"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          # Empty token keeps changesets/action happy while npm authenticates via OIDC
-          # https://github.com/changesets/changesets/issues/1152
-          NPM_TOKEN: ""

From 3fc2f87f1a8b5ebae9f7d29edb598534dcc77b38 Mon Sep 17 00:00:00 2001
From: Ryan Carniato <ryansolid@gmail.com>
Date: Thu, 11 Jun 2026 19:58:37 -0700
Subject: [PATCH 3/4] ci: move to Node 24 LTS instead of upgrading npm
 in-workflow

Node 24.16.0 bundles npm 11.13.0, which natively supports trusted
publishing (requires npm >= 11.5.1), so the explicit npm upgrade step
is no longer needed. All workflows read .nvmrc so CI moves together.
---
 .github/workflows/release.yml | 4 ----
 .nvmrc                        | 2 +-
 2 files changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f57e4d090..763c7c957 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,10 +30,6 @@ jobs:
           registry-url: "https://registry.npmjs.org"
           cache: "pnpm"
 
-      # Trusted publishing requires npm >= 11.5.1; Node 22 bundles npm 10.x
-      - name: Update npm for trusted publishing
-        run: npm install -g npm@latest
-
       - name: Install Dependencies
         run: pnpm i --frozen-lockfile
 
diff --git a/.nvmrc b/.nvmrc
index e2228113d..b832e4001 100644
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-22.19.0
+24.16.0

From a80c6fe0a10bbb3ff87b04add7ebecb0aedee7a9 Mon Sep 17 00:00:00 2001
From: Ryan Carniato <ryansolid@gmail.com>
Date: Thu, 11 Jun 2026 20:15:43 -0700
Subject: [PATCH 4/4] ci: pin Node 24.15.0 to avoid extract-zip regression in
 24.16.0

Node 24.16.0 has a readable-stream regression (nodejs/node#63487) that
hangs playwright/cypress browser installs during zip extraction.
Playwright < 1.60 is affected; pin 24.15.0 until 24.17.0 ships the fix.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .nvmrc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.nvmrc b/.nvmrc
index b832e4001..5bf4400f2 100644
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-24.16.0
+24.15.0