ci: clear placeholder auth token so npm uses OIDC (#84) #100

	name: Release
	on:
	push:
	branches: [main]
	workflow_dispatch:
	jobs:
	release:
	runs-on: ubuntu-latest
	environment: npm
	permissions:
	contents: write
	id-token: write
	steps:
	- uses: actions/checkout@v4
	with: { fetch-depth: 0 }
	- uses: pnpm/action-setup@v4
	- uses: actions/setup-node@v4
	with:
	node-version: 22
	cache: pnpm
	registry-url: "https://registry.npmjs.org"
	- run: pnpm install --frozen-lockfile

	- name: Check if version is already published
	id: check
	run: \|
	PKG_NAME=$(node -p "require('./package.json').name")
	PKG_VERSION=$(node -p "require('./package.json').version")
	echo "version=${PKG_VERSION}" >> "$GITHUB_OUTPUT"
	if npm view "${PKG_NAME}@${PKG_VERSION}" version 2>/dev/null; then
	echo "published=true" >> "$GITHUB_OUTPUT"
	else
	echo "published=false" >> "$GITHUB_OUTPUT"
	fi

	- name: Build and publish
	if: steps.check.outputs.published == 'false'
	run: \|
	# Clear the placeholder token so npm uses OIDC instead
	npm config set //registry.npmjs.org/:_authToken ""
	pnpm build && npm publish --access public --provenance

	- name: Ensure git tag exists
	if: steps.check.outputs.published == 'false'
	run: \|
	TAG="v${{ steps.check.outputs.version }}"
	if ! git rev-parse "${TAG}" >/dev/null 2>&1; then
	git tag "${TAG}"
	git push origin "${TAG}"
	fi

	- name: Create GitHub Release
	if: steps.check.outputs.published == 'false'
	run: \|
	TAG="v${{ steps.check.outputs.version }}"
	gh release create "${TAG}" --generate-notes --title "${TAG}" --verify-tag
	env:
	GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

Provide feedback