ci: migrate from using npm tokens to oicd

[nhironaka]

Summary

releases are failing because the npm tokens expired, but the recommended way is to use trusted publishers anyways

Screenshots (if appropriate):

Testing approaches

---

---

Note

Medium Risk
Changes the release GitHub Actions workflow permissions and npm publishing authentication (removing the stored npm token), which can break releases or inadvertently broaden workflow write access if misconfigured.

Overview
Updates the Release GitHub Actions workflow to stop fetching/using an NPM_TOKEN from SSM and rely on provenance-based publishing (NPM_CONFIG_PROVENANCE: true) instead.

Also expands workflow permissions from contents: read to write access and adds pull-requests: write and issues: write so the Changesets action can create/update release PRs and related metadata using the provided PAT.

^{Written by Cursor Bugbot for commit 010f6cc. This will update automatically on new commits. Configure here.}

[changeset-bot]

⚠️ No Changeset found

Latest commit: 010f6cc

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Missing registry-url breaks npm OIDC authentication

High Severity

The migration to OIDC trusted publishing removes NPM_TOKEN but doesn't add registry-url: 'https://registry.npmjs.org' to the actions/setup-node step. npm's OIDC authentication requires setup-node to be configured with registry-url so it generates the correct .npmrc file. Without it, changeset publish will fail to authenticate with npm, and no packages will be published.

 

[nhironaka]

The issue described is incorrect — do not add registry-url here.

Here's why:

actions/setup-node with registry-url generates a .npmrc containing //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}. That is the token-based auth mechanism, which is exactly what we're moving away from.

npm's OIDC trusted publisher flow works differently: when id-token: write is granted and the package has a trusted publisher configured on npmjs.com, the npm CLI automatically requests a short-lived OIDC token from GitHub's token endpoint at publish time — no .npmrc auth entry needed.

Adding registry-url without also providing NODE_AUTH_TOKEN would actually write a broken .npmrc with an unresolved ${NODE_AUTH_TOKEN} variable, which could cause auth failures rather than fix them.

The current state of the workflow (no registry-url, no NPM_TOKEN, id-token: write present) is the correct configuration for trusted publishers. No change needed.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

npm version too old for OIDC trusted publishing

High Severity

npm OIDC trusted publishing requires npm >= 11.5.1, but Node.js 22 only bundles npm 10.9.7. Since NPM_TOKEN was removed and no step upgrades npm to a compatible version, the workflow has no working authentication mechanism. Publishing via changeset publish will fail with an auth error. A step like npm install -g npm@latest is needed, and setup-node likely needs a registry-url configured for the OIDC flow.

Additional Locations (1)

• .github/workflows/release.yml#L55-L57

 

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.