needle-tools
diff --git a/‎.github/workflows/test.yml‎
Lines changed: 76 additions & 1 deletion b/‎.github/workflows/test.yml‎
Lines changed: 76 additions & 1 deletion
diff --git a/‎bin/cli.js‎
Lines changed: 2 additions & 0 deletions b/‎bin/cli.js‎
Lines changed: 2 additions & 0 deletions
@@ -30,7 +30,7 @@ jobs:
             id: publish
             run: npx . publish "./test" --webhook "${{ secrets.DISCORD_WEBHOOK_TEST_RELEASE }}" --access-token "${{ secrets.NPM_TOKEN }}" --version+hash --tag github --version+tag --create-tag "test/" --llm-api-key "${{ secrets.LLM_API_KEY }}"
 
-          - name: Print output 
+          - name: Print output
             run: |
               echo "Package version: ${{ steps.publish.outputs.package-version }}"
 
@@ -42,3 +42,78 @@ jobs:
 
           - name: Just add a tag
             run: npx . publish "./test" --webhook "${{ secrets.DISCORD_WEBHOOK_TEST_RELEASE }}" --access-token "${{ secrets.NPM_TOKEN }}" --tag github-2
+
+    # OIDC-based publishing (Trusted Publishing)
+    # NOTE: First publish of a package MUST use --access-token. OIDC only works for existing packages.
+    #
+    # To enable OIDC for this package:
+    # 1. Ensure the package exists on npmjs.com (publish once with --access-token)
+    # 2. Go to https://www.npmjs.com/package/publish-helper-test-package/access
+    # 3. Click "Settings" → "Trusted Publisher" → "GitHub Actions"
+    # 4. Configure: owner (needle-tools), repository (npm-publish-helper), workflow (test.yml)
+    publish-oidc:
+        runs-on: ubuntu-latest
+        timeout-minutes: 5
+        permissions:
+          contents: read
+          id-token: write  # Required for OIDC authentication
+        defaults:
+          run:
+            working-directory: ./
+
+        steps:
+          - uses: actions/checkout@v4
+
+          - name: Setup Node.js
+            uses: actions/setup-node@v4
+            with:
+              node-version: '22'
+              # Note: Do NOT set registry-url here for OIDC - it creates .npmrc expecting NODE_AUTH_TOKEN
+              # which conflicts with OIDC. Let npm use its default registry.
+
+          - name: Update npm to latest (OIDC requires npm >= 11.5)
+            run: |
+              echo "Current npm version: $(npm --version)"
+              npm install -g npm@latest
+              echo "Updated npm version: $(npm --version)"
+
+          - name: Check environment for OIDC
+            run: |
+              echo "=== Node/npm versions ==="
+              echo "npm version: $(npm --version)"
+              echo "node version: $(node --version)"
+              echo ""
+              echo "=== OIDC Environment Variables ==="
+              echo "GITHUB_ACTIONS: $GITHUB_ACTIONS"
+              echo "ACTIONS_ID_TOKEN_REQUEST_URL: ${ACTIONS_ID_TOKEN_REQUEST_URL:-(not set)}"
+              echo "ACTIONS_ID_TOKEN_REQUEST_TOKEN: ${ACTIONS_ID_TOKEN_REQUEST_TOKEN:+****(set)}"
+              echo ""
+              echo "=== Token Environment Variables (should be unset for OIDC) ==="
+              echo "NPM_TOKEN: ${NPM_TOKEN:-(not set)}"
+              echo "NODE_AUTH_TOKEN: ${NODE_AUTH_TOKEN:-(not set)}"
+              echo ""
+              echo "=== npmrc contents (if any) ==="
+              cat ~/.npmrc 2>/dev/null || echo "(no ~/.npmrc)"
+              cat .npmrc 2>/dev/null || echo "(no ./.npmrc)"
+              echo ""
+              echo "=== npm config list ==="
+              npm config list
+
+          - name: Install dependencies
+            run: npm install
+
+          - name: Test direct npm publish with OIDC (debug)
+            working-directory: ./test
+            continue-on-error: true
+            run: |
+              echo "Testing direct npm publish with --provenance..."
+              npm version 2.0.0-oidc-direct-test.$(git rev-parse --short HEAD) --no-git-tag-version
+              npm publish --access public --provenance --tag oidc-direct --dry-run || echo "Direct test failed"
+
+          - name: Run publish with OIDC
+            id: publish-oidc
+            run: npx . publish "./test" --webhook "${{ secrets.DISCORD_WEBHOOK_TEST_RELEASE }}" --oidc --version+hash --tag oidc --version+tag
+
+          - name: Print output
+            run: |
+              echo "Package version: ${{ steps.publish-oidc.outputs.package-version }}"
@@ -68,6 +68,7 @@ program.command('publish', 'Publish npm package')
     .option("--create-tag", "Create a git tag. Default: null. Can be set to e.g. '--create-tag release/'", { required: false, validator: program.STRING })
     .option("--webhook <webhook>", "Webhook URL to send notifications", { required: false, validator: program.STRING })
     .option("--access-token <access-token>", "NPM access token", { required: false, validator: program.STRING })
+    .option("--oidc", "Use OIDC (OpenID Connect) for authentication instead of access tokens. Requires npm >= 11.5 and a trusted publisher configured on npmjs.com. Works with GitHub Actions and GitLab CI/CD.", { required: false, validator: program.BOOLEAN, default: false })
     .option("--dry-run", "Dry run mode, do not publish", { required: false, validator: program.BOOLEAN, default: false })
     .option("--override-name <name>", "Override package name", { required: false, validator: program.STRING })
     .option("--override-version <version>", "Override package version", { required: false, validator: program.STRING })
@@ -93,6 +94,7 @@ program.command('publish', 'Publish npm package')
 
             registry: registry,
             accessToken: options.accessToken?.toString() || null,
+            useOidc: options.oidc === true,
             useHashInVersion: options.versionHash === true, // default to false
             useTagInVersion: options.versionTag === true, // default to false
             createGitTag: options.createTag !== undefined, // default to false