[actions] publish by OIDC

[capcom6]

Summary by CodeRabbit

Release Notes

This release contains internal infrastructure updates with no user-visible changes.

• Chores
  • Updated CI/CD workflow permissions and authentication configuration for improved security and reliability in the release process.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

GitHub Actions release workflow configuration updated to add OIDC token write permission and remove NODE_AUTH_TOKEN environment variable from npm publish step.

Changes

Cohort / File(s)	Summary
Workflow Configuration \.github/workflows/release.yml``	Added id-token: write permission to workflow. Removed NODE_AUTH_TOKEN environment variable from npm publish step.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[actions] publish by OIDC' directly relates to the main change: enabling OIDC-based publishing by adding the id-token permission and removing NODE_AUTH_TOKEN.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch actions/publish-by-oidc

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3c297c4 and 835b4a8.

📒 Files selected for processing (1)

• .github/workflows/release.yml (1 hunks)

🔇 Additional comments (2)

.github/workflows/release.yml (2)

7-9: OIDC authentication permission properly configured.

Adding the id-token: write permission enables GitHub Actions to generate OIDC tokens needed for authentication, replacing the previous NODE_AUTH_TOKEN secret-based approach. This is a security improvement.

---

35-38: Verify setup-node@v3 and npm properly handle OIDC authentication flow.

The workflow relies on setup-node@v3 to automatically configure npm for OIDC authentication when the id-token: write permission is present. Ensure this setup works as expected by verifying:

1. setup-node@v3 supports and automatically enables OIDC publishing to npm
2. npm (used via npm publish) supports OIDC authentication tokens
3. The npm registry (https://registry.npmjs.org) accepts OIDC tokens from this GitHub repository

If setup-node does not automatically configure OIDC, you may need to add additional configuration such as an explicit OIDC token generation step or npm configuration.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}