ci: migrate npm release to OIDC trusted publishing with provenance

[jaredwray]

Summary

Migrates the release workflow from a long-lived NPM_TOKEN to npm trusted publishing (OIDC) and enables provenance attestations on every publish.

With trusted publishing, GitHub Actions mints a short-lived OIDC token that npm exchanges for ephemeral publish credentials — no secret to rotate or leak. Provenance attestations cryptographically link each published version back to the exact commit and workflow run that built it (the green "provenance" badge on npmjs.com).

Changes

.github/workflows/release.yaml

• Add id-token: write permission (keeps contents: read) so the job can mint an OIDC token.
• Set registry-url: 'https://registry.npmjs.org' on setup-node (per npm's trusted-publishing guidance).
• Add an Update npm step (npm install -g npm@latest) — trusted publishing requires npm CLI ≥ 11.5.1, newer than the version bundled with Node.js 22.
• Publish via npm publish --provenance --ignore-scripts and remove the NPM_TOKEN secret and the npm config set //registry.npmjs.org/:_authToken step.

package.json

• Add a public repository field (plus homepage and bugs). A repository field that matches the source repo case-sensitively (Hyphen/nodejs-sdk) is required for npm to generate provenance attestations.

⚠️ Required one-time setup before the next release

The workflow change alone is not sufficient — a trusted publisher must be configured on npm, otherwise the publish will fail with an auth error. On https://www.npmjs.com/package/@hyphen/sdk → Settings → Trusted Publisher, add a GitHub Actions publisher with:

Field	Value
Organization or user	Hyphen
Repository	nodejs-sdk
Workflow filename	release.yaml
Environment name	(leave blank — none is used)

The NPM_TOKEN repository secret can be deleted once this is in place.

Verification

• pnpm build — succeeds
• pnpm test — lint clean, 233 tests pass, 100% coverage (statements/branches/functions/lines)

References

• npm trusted publishing with OIDC is generally available (GitHub Changelog)
• Trusted publishing for npm packages (npm Docs)
• Generating provenance statements (npm Docs)

https://claude.ai/code/session_016qHimevBQJsTHzBxV7B2od

---

Generated by Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (19f5c37) to head (de6caf4).

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #140   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            8         8           
  Lines          492       492           
  Branches       105       105           
=========================================
  Hits           492       492           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[jaredwray]

use pnpm instead. add in pnpm/setup action

[jaredwray]

use pnpm