From e7265adbff849a2c57b2fb45df2218d9799d8aed Mon Sep 17 00:00:00 2001
From: Erik Arvidsson <erik.arvidsson@gmail.com>
Date: Tue, 19 May 2026 17:12:24 +0200
Subject: [PATCH] ci: publish via OIDC trusted publishing (drop NPM_TOKEN)

The publish job already has job-scoped id-token: write and an
npm@latest upgrade, but still passed NODE_AUTH_TOKEN, so npm
authenticated with the long-lived token instead of OIDC. Removing
it makes npm use the configured Trusted Publisher (OIDC), so no
long-lived token can publish @rocicorp/zero-sqlite3.

DO NOT MERGE until the npm Trusted Publisher for
@rocicorp/zero-sqlite3 is configured (rocicorp/zero-sqlite3 +
build.yml), or release publishing will fail with no auth.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/build.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 2636a8c..d240501 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -142,8 +142,6 @@ jobs:
       - name: Upgrade npm for OIDC support
         run: npm install -g npm@latest
       - run: npm publish --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
   prebuild:
     if: ${{ github.event_name == 'release' }}