feat: migrate npm publish workflows to OIDC trusted publisher

[ChiragAgg5k]

Summary

This PR updates the npm publish workflows to use npm's new OIDC-based trusted publisher instead of token-based authentication.

Changes

• Added id-token: write and contents: read permissions for OIDC
• Updated Node.js version to 22 (current LTS)
• Changed npm install to npm ci for more reliable CI builds
• Added --provenance --access public flags for trusted publishing
• Removed NODE_AUTH_TOKEN environment variable (no longer needed with OIDC)

Files Modified

• templates/cli/.github/workflows/npm-publish.yml
• templates/node/.github/workflows/publish.yml.twig
• templates/react-native/.github/workflows/publish.yml.twig
• templates/web/.github/workflows/publish.yml.twig

Note

After merging, you'll need to configure each npm package on npmjs.com to trust the corresponding GitHub repository:

1. Go to your package on npmjs.com
2. Navigate to Settings → Publishing access → Provenance
3. Link the GitHub repository as a trusted publisher

Summary by CodeRabbit

• New Features

  • CLI template now supports ARM64 builds for macOS and Windows platforms.

• Chores

  • Updated Node.js to version 22 across all templates.
  • Upgraded GitHub Actions to latest versions for improved security and performance.
  • Enhanced package publishing with provenance and improved access controls.
  • Optimized dependency installation process.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

This pull request modernizes GitHub Actions workflow files across multiple project templates. The changes add explicit permissions blocks (id-token: write and contents: read) to workflows, update Node.js from version 20.x to 22, and replace npm install with npm ci for improved reproducibility in CI environments. The npm publish commands are enhanced with --provenance and --access public flags while removing the NODE_AUTH_TOKEN environment variable. The CLI template additionally updates GitHub Actions versions (checkout v2→v4, setup-node v2→v4), expands the build matrix to include macOS and Windows ARM64 targets, and adds QEMU and ldid setup steps.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feat/npm-trusted-publisher

---

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9290a9d and 7cceabb.

📒 Files selected for processing (4)

• templates/cli/.github/workflows/npm-publish.yml
• templates/node/.github/workflows/publish.yml.twig
• templates/react-native/.github/workflows/publish.yml.twig
• templates/web/.github/workflows/publish.yml.twig

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

This PR modernizes npm package publishing by migrating from token-based authentication to npm's OIDC-based trusted publisher, enhancing security and simplifying credential management. The changes update GitHub Actions workflows across multiple project templates to use the new authentication method.

Key changes:

• Implemented OIDC authentication by adding id-token: write and contents: read permissions
• Upgraded Node.js version from 20.x to 22 (current LTS) across all workflows
• Replaced npm install with npm ci for more deterministic builds and added --provenance --access public flags to npm publish commands

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
templates/cli/.github/workflows/npm-publish.yml	Updated CLI template workflow with OIDC permissions, Node.js 22, npm ci, provenance flags, and corrected spelling error
templates/node/.github/workflows/publish.yml.twig	Updated Node template workflow with OIDC permissions, Node.js 22, npm ci, and provenance flags
templates/react-native/.github/workflows/publish.yml.twig	Updated React Native template workflow with OIDC permissions, Node.js 22, npm ci, and provenance flags
templates/web/.github/workflows/publish.yml.twig	Updated Web template workflow with OIDC permissions, Node.js 22, npm ci, and provenance flags

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The indentation for 'id-token: write' is incorrect. It should be aligned with 'contents:' on line 9. The property should start at column 3 (2 spaces of indentation) to match the YAML structure for the permissions block.

Suggested change

	id-token: write
	id-token: write