Replace npm token auth with OIDC trusted publishing

.github/scripts/clear-npm-token.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Clear npm token configuration to ensure OIDC is used instead
+# This script removes any token-based authentication from npm config
+# Note: We use '|| true' for commands that may fail if config doesn't exist
+
+echo "Clearing npm token configuration to force OIDC usage..."
+
+# Remove any .npmrc file that might contain token auth
+if [ -f "$HOME/.npmrc" ]; then
+  echo "Found .npmrc at $HOME/.npmrc, checking for token auth..."
+  if grep -q "_authToken" "$HOME/.npmrc"; then
+    echo "Removing token auth from .npmrc..."
+    sed -i '/_authToken/d' "$HOME/.npmrc" || true
+  fi
+fi
+
+# Clear npm config token settings
+npm config delete //registry.npmjs.org/:_authToken || true
+npm config delete _authToken || true
+
+# Note: If NODE_AUTH_TOKEN secret exists in repository, it should be removed
+# from Settings > Secrets and variables > Actions to allow OIDC to work properly
+if [ -n "$NODE_AUTH_TOKEN" ]; then
+  echo "WARNING: NODE_AUTH_TOKEN secret is configured in repository"
+  echo "This may prevent OIDC from working. Consider removing it from"
+  echo "repository Settings > Secrets and variables > Actions"
+fi
+
+echo "✓ Cleared npm token configuration"

.github/scripts/verify-oidc.sh

@@ -0,0 +1,72 @@
+#!/bin/bash
+# Verify OIDC authentication setup for npm trusted publishing
+# This script checks that all prerequisites for OIDC are met
+# Note: We don't use 'set -e' here so we can continue checking even if some conditions fail
+
+echo "=== Verifying OIDC Authentication Setup ==="
+echo ""
+echo "Workflow name: ${GITHUB_WORKFLOW:-unknown}"
+echo "Workflow file: ${GITHUB_WORKFLOW_REF:-unknown}"
+echo "Repository: ${GITHUB_REPOSITORY:-unknown}"
+echo "Ref: ${GITHUB_REF:-unknown}"
+echo "Actor: ${GITHUB_ACTOR:-unknown}"
+echo "Event name: ${GITHUB_EVENT_NAME:-unknown}"
+echo ""
+
+# Check if NODE_AUTH_TOKEN is set (from repository secrets)
+if [ -n "$NODE_AUTH_TOKEN" ]; then
+  echo "⚠️  WARNING: NODE_AUTH_TOKEN secret is configured in repository"
+  echo "   This may prevent OIDC from working. Please remove the NODE_AUTH_TOKEN secret"
+  echo "   from repository Settings > Secrets and variables > Actions"
+  echo ""
+else
+  echo "✓ No NODE_AUTH_TOKEN secret found (good for OIDC)"
+fi
+
+# Check if ACTIONS_ID_TOKEN_REQUEST_TOKEN is available (required for OIDC)
+if [ -z "$ACTIONS_ID_TOKEN_REQUEST_TOKEN" ]; then
+  echo "⚠️  WARNING: ACTIONS_ID_TOKEN_REQUEST_TOKEN not set - OIDC may not work"
+  echo "   Ensure the workflow has 'id-token: write' permission"
+else
+  echo "✓ OIDC token request token is available"
+fi
+
+echo ""
+echo "=== Node.js and npm Versions ==="
+echo "Node version: $(node --version)"
+echo "npm version: $(npm --version)"
+
+# Ensure npm is at least 10.0.0 for OIDC support
+npm_version=$(npm --version | cut -d. -f1)
+if [ "$npm_version" -lt 10 ]; then
+  echo "⚠️  WARNING: npm version is less than 10.0.0, OIDC may not work properly"
+else
+  echo "✓ npm version supports OIDC (10.0.0+)"
+fi
+
+echo ""
+echo "=== npm Configuration ==="
+npm config list
+
+echo ""
+echo "=== Checking for .npmrc ==="
+if [ -f .npmrc ]; then
+  echo "Found .npmrc in current directory:"
+  cat .npmrc
+  # Check if it contains token auth (should not for OIDC)
+  if grep -q "_authToken" .npmrc; then
+    echo "⚠️  WARNING: .npmrc contains _authToken - this will prevent OIDC"
+    echo "Removing token configuration..."
+    sed -i '/^\/\/registry\.npmjs\.org\/:_authToken/d' .npmrc || true
+    sed -i '/^_authToken/d' .npmrc || true
+  fi
+else
+  echo "No .npmrc file found in current directory (this is expected for OIDC)"
+fi
+
+echo ""
+echo "=== Environment Variables ==="
+env | grep -i "npm\|node" || echo "No npm/node env vars found"
+
+echo ""
+echo "=== OIDC Verification Complete ==="

.github/workflows/ci.yml

@@ -2,6 +2,7 @@ name: CI
 permissions:
   contents: write
   pull-requests: write
+  id-token: write
 on:
   push:
     branches:
@@ -19,6 +20,7 @@ jobs:
         node-version:
           - 20.x
           - 22.x
+          - 24.x
     steps:
       - uses: actions/checkout@v6
       - name: Use Node.js ${{ matrix.node-version }}
@@ -30,7 +32,7 @@ jobs:
       - run: npm run build
       - run: npm run doc
       - name: Save build
-        if: matrix.node-version == '20.x'
+        if: matrix.node-version == '24.x'
         uses: actions/upload-artifact@v6
         with:
           name: build
@@ -67,39 +69,90 @@ jobs:
   npm-publish-build:
     needs: build
     runs-on: ubuntu-latest
+    if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
+    permissions:
+      id-token: write  # Required for OIDC trusted publishing
+      contents: read
     steps:
+      - uses: actions/checkout@v6
       - uses: actions/download-artifact@v7
         with:
           name: build
+          path: .
+          merge-multiple: true
       - uses: actions/setup-node@v6
         with:
-          node-version: 20.x
+          node-version: 24.x
+          registry-url: 'https://registry.npmjs.org'
+      - name: Verify scripts are available
+        run: |
+          if [ ! -f .github/scripts/clear-npm-token.sh ]; then
+            echo "ERROR: Script not found. Listing .github directory:"
+            ls -la .github/ || echo ".github directory not found"
+            ls -la .github/scripts/ || echo ".github/scripts directory not found"
+            exit 1
+          fi
+          chmod +x .github/scripts/*.sh
+          echo "✓ Scripts are available and executable"
+      - name: Clear npm token configuration
+        run: bash .github/scripts/clear-npm-token.sh
       - uses: rlespinasse/github-slug-action@v4.x
       - name: Append commit hash to package version
         run: 'sed -i -E "s/(\"version\": *\"[^\"]+)/\1-${GITHUB_SHA_SHORT}/" package.json'
       - name: Disable pre- and post-publish actions
         run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json'
-      - uses: JS-DevTools/npm-publish@v4.1.3
-        if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
-        with:
-          token: ${{ secrets.NPM_TOKEN }}
-          tag: ${{ env.GITHUB_REF_SLUG }}
+      - name: Verify OIDC authentication
+        run: bash .github/scripts/verify-oidc.sh
+      - name: Test npm publish (dry-run) - PRs only
+        if: github.event_name == 'pull_request'
+        run: |
+          echo "Testing npm publish authentication with dry-run..."
+          echo "Note: OIDC tokens ARE available for pull_request events when the workflow"
+          echo "has 'id-token: write' permission, allowing us to verify authentication."
+          npm publish --dry-run --access public --tag ${{ env.GITHUB_REF_SLUG }} || {
+            echo "ERROR: npm publish dry-run failed"
+            echo "This indicates OIDC authentication is not working correctly"
+            exit 1
+          }
+          echo "✓ npm publish dry-run succeeded - OIDC authentication is working!"
+      - name: Publish to npm
+        if: github.event_name != 'pull_request'
+        run: npm publish --access public --tag ${{ env.GITHUB_REF_SLUG }}
 
   npm-publish-latest:
     needs: [build, npm-publish-build]
     runs-on: ubuntu-latest
-    if: github.ref == 'refs/heads/main'
+    if: github.ref == 'refs/heads/main' && github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]'
+    permissions:
+      id-token: write  # Required for OIDC trusted publishing
+      contents: read
     steps:
+      - uses: actions/checkout@v6
       - uses: actions/download-artifact@v7
         with:
           name: build
+          path: .
+          merge-multiple: true
       - uses: actions/setup-node@v6
         with:
-          node-version: 20.x
+          node-version: 24.x
+          registry-url: 'https://registry.npmjs.org'
+          # OIDC will be used automatically when id-token: write is set
+      - name: Verify scripts are available
+        run: |
+          if [ ! -f .github/scripts/clear-npm-token.sh ]; then
+            echo "ERROR: Script not found. Listing .github directory:"
+            ls -la .github/ || echo ".github directory not found"
+            ls -la .github/scripts/ || echo ".github/scripts directory not found"
+            exit 1
+          fi
+          chmod +x .github/scripts/*.sh
+          echo "✓ Scripts are available and executable"
+      - name: Clear npm token configuration
+        run: bash .github/scripts/clear-npm-token.sh
       - name: Disable pre- and post-publish actions
         run: 'sed -i -E "s/\"((pre|post)publish)/\"ignore:\1/" package.json'
-      - uses: JS-DevTools/npm-publish@v4.1.3
-        if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' 
-        with:
-          token: ${{ secrets.NPM_TOKEN }}
-          tag: latest
+      - name: Verify OIDC authentication
+        run: bash .github/scripts/verify-oidc.sh
+      - name: Publish to npm
+        run: npm publish --access public

package.json

@@ -42,7 +42,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "git+https://github.com/solidos/solid-ui.git"
+    "url": "https://github.com/solidos/solid-ui"
   },
   "keywords": [
     "solid",