From 58ac1d39137c8d068e842acc8678172610a01e4d Mon Sep 17 00:00:00 2001 From: Diana Suvorova Date: Mon, 8 Jun 2026 14:35:27 -0700 Subject: [PATCH 1/5] Correcting trusted publisher setup --- .github/workflows/release.yml | 3 ++- publish/publish-next.js | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f08162e5e9..fe2fdc060c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,7 +32,6 @@ jobs: with: node-version: 22 cache: "pnpm" - registry-url: https://registry.npmjs.org - name: Install dependencies run: pnpm install --frozen-lockfile @@ -45,3 +44,5 @@ jobs: - name: Publishing next version run: ./publish/publish-next.js + env: + NPM_CONFIG_REGISTRY: https://registry.npmjs.org/ diff --git a/publish/publish-next.js b/publish/publish-next.js index 2f7c88ffcf..20dedcd4db 100755 --- a/publish/publish-next.js +++ b/publish/publish-next.js @@ -13,7 +13,7 @@ const publishNext = () => { fs.writeFileSync("./dist/package.json", JSON.stringify(pkgJson, null, 2)); try { - execSync("cd dist && npm publish --tag next"); + execSync("cd dist && npm publish --tag next", { stdio: "inherit" }); } catch (e) { console.log(e); console.log("Next publish failed."); @@ -33,7 +33,7 @@ fetch(`https://registry.npmjs.org/baseui`) delete pkgJson.scripts.prepare; fs.writeFileSync("./dist/package.json", JSON.stringify(pkgJson, null, 2)); try { - execSync("cd dist && npm publish"); + execSync("cd dist && npm publish", { stdio: "inherit" }); } catch (e) { console.log(e); console.log("Stable publish failed."); From 3bdf79b2319848a1ec225da31abf2928d258d6ec Mon Sep 17 00:00:00 2001 From: Diana Suvorova Date: Mon, 8 Jun 2026 14:43:44 -0700 Subject: [PATCH 2/5] fix: restore registry-url for npm OIDC discovery --- .github/workflows/release.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fe2fdc060c..f08162e5e9 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -32,6 +32,7 @@ jobs: with: node-version: 22 cache: "pnpm" + registry-url: https://registry.npmjs.org - name: Install dependencies run: pnpm install --frozen-lockfile @@ -44,5 +45,3 @@ jobs: - name: Publishing next version run: ./publish/publish-next.js - env: - NPM_CONFIG_REGISTRY: https://registry.npmjs.org/ From c05b440d3cc3987e3af16a09c6642b0540a37e28 Mon Sep 17 00:00:00 2001 From: Diana Suvorova Date: Mon, 8 Jun 2026 14:48:17 -0700 Subject: [PATCH 3/5] debug: add npm verbose logging to diagnose OIDC auth --- publish/publish-next.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/publish/publish-next.js b/publish/publish-next.js index 20dedcd4db..0646c25d6e 100755 --- a/publish/publish-next.js +++ b/publish/publish-next.js @@ -13,7 +13,7 @@ const publishNext = () => { fs.writeFileSync("./dist/package.json", JSON.stringify(pkgJson, null, 2)); try { - execSync("cd dist && npm publish --tag next", { stdio: "inherit" }); + execSync("cd dist && npm publish --tag next --loglevel verbose", { stdio: "inherit" }); } catch (e) { console.log(e); console.log("Next publish failed."); From 4a189c91ecd79775da8c133f40f6853a23e5fdb2 Mon Sep 17 00:00:00 2001 From: Diana Suvorova Date: Mon, 8 Jun 2026 14:58:47 -0700 Subject: [PATCH 4/5] fix: clear setup-node auth token to allow OIDC trusted publisher flow --- .github/workflows/release.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index f08162e5e9..525e127081 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,5 +43,8 @@ jobs: - name: Build d.ts files run: pnpm build:lib:dts + - name: Clear npm auth token for trusted publisher OIDC + run: echo "registry=https://registry.npmjs.org/" > $NPM_CONFIG_USERCONFIG + - name: Publishing next version run: ./publish/publish-next.js From 7f824fc712eb8f077ede3dc7c3d03e8168a77889 Mon Sep 17 00:00:00 2001 From: Diana Suvorova Date: Mon, 8 Jun 2026 15:24:44 -0700 Subject: [PATCH 5/5] fix: use NPM_TOKEN for auth, keep trusted publisher for provenance --- .github/workflows/release.yml | 5 ++--- publish/publish-next.js | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 525e127081..76952dc3c0 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -43,8 +43,7 @@ jobs: - name: Build d.ts files run: pnpm build:lib:dts - - name: Clear npm auth token for trusted publisher OIDC - run: echo "registry=https://registry.npmjs.org/" > $NPM_CONFIG_USERCONFIG - - name: Publishing next version run: ./publish/publish-next.js + env: + NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} diff --git a/publish/publish-next.js b/publish/publish-next.js index 0646c25d6e..20dedcd4db 100755 --- a/publish/publish-next.js +++ b/publish/publish-next.js @@ -13,7 +13,7 @@ const publishNext = () => { fs.writeFileSync("./dist/package.json", JSON.stringify(pkgJson, null, 2)); try { - execSync("cd dist && npm publish --tag next --loglevel verbose", { stdio: "inherit" }); + execSync("cd dist && npm publish --tag next", { stdio: "inherit" }); } catch (e) { console.log(e); console.log("Next publish failed.");