From 1238a9733fdf817b175264f998c4861da701db7f Mon Sep 17 00:00:00 2001
From: Minsu Lee <minsu.lee@pleaseai.dev>
Date: Mon, 1 Jun 2026 23:49:50 +0900
Subject: [PATCH 1/2] ci: publish via npm (bun pm pack) for provenance/trusted
 publishing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

bun publish supports neither npm OIDC trusted publishing nor
--provenance (oven-sh/bun#22423), so the publish job failed with
'missing authentication'. Switch the publisher to the npm CLI:

- bun pm pack builds the tarball, npm publish --provenance uploads it
- actions/setup-node provisions the registry .npmrc + an npm new
  enough for provenance; id-token: write grants the OIDC token
- npm view guards make the job idempotent (skip already-published vers)
- add the missing @pleaseai/code-style (cli) publish step — it was
  stuck at 0.0.1 on npm while the manifest tracks 0.0.3
---
 .github/workflows/release-please.yml | 53 ++++++++++++++++++++++++----
 1 file changed, 46 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index 4408dd0..c602213 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -16,6 +16,7 @@ jobs:
       releases_created: ${{ steps.release.outputs.releases_created }}
       eslint-config-released: ${{ steps.release.outputs['packages/eslint-config--release_created'] }}
       prettier-config-released: ${{ steps.release.outputs['packages/perttier-config--release_created'] }}
+      code-style-released: ${{ steps.release.outputs['packages/cli--release_created'] }}
     steps:
       - uses: actions/create-github-app-token@1b10c78c7865c340bc4f6099eb2f838309f1e8c3 # v3.1.1
         id: app-token
@@ -34,6 +35,9 @@ jobs:
     needs: release-please
     if: ${{ needs.release-please.outputs.releases_created == 'true' }}
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # npm provenance / trusted publishing (OIDC)
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -41,23 +45,58 @@ jobs:
         with:
           bun-version: latest
 
+      # npm CLI is the publisher: bun publish supports neither npm OIDC
+      # trusted publishing nor --provenance (oven-sh/bun#22423). setup-node
+      # provisions the registry .npmrc and an npm new enough for provenance.
+      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: .nvmrc
+          registry-url: https://registry.npmjs.org
+
       - name: Install dependencies
         run: bun install
 
       - name: Build
         run: bun run build
 
-      - name: Set npm auth token
-        run: echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> ~/.npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
       - name: Publish @pleaseai/eslint-config
         if: ${{ needs.release-please.outputs.eslint-config-released == 'true' }}
-        run: bun publish --access public
         working-directory: packages/eslint-config
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          if npm view "@pleaseai/eslint-config@$VERSION" version 2>/dev/null; then
+            echo "⚠ @pleaseai/eslint-config@$VERSION already published, skipping"
+          else
+            bun pm pack
+            npm publish pleaseai-eslint-config-*.tgz --provenance --access public
+          fi
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish @pleaseai/prettier-config
         if: ${{ needs.release-please.outputs.prettier-config-released == 'true' }}
-        run: bun publish --access public
         working-directory: packages/perttier-config
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          if npm view "@pleaseai/prettier-config@$VERSION" version 2>/dev/null; then
+            echo "⚠ @pleaseai/prettier-config@$VERSION already published, skipping"
+          else
+            bun pm pack
+            npm publish pleaseai-prettier-config-*.tgz --provenance --access public
+          fi
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
+      - name: Publish @pleaseai/code-style
+        if: ${{ needs.release-please.outputs.code-style-released == 'true' }}
+        working-directory: packages/cli
+        run: |
+          VERSION=$(node -p "require('./package.json').version")
+          if npm view "@pleaseai/code-style@$VERSION" version 2>/dev/null; then
+            echo "⚠ @pleaseai/code-style@$VERSION already published, skipping"
+          else
+            bun pm pack
+            npm publish pleaseai-code-style-*.tgz --provenance --access public
+          fi
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From d3a842c1e534e50fab410c374f7315eac448dc2a Mon Sep 17 00:00:00 2001
From: Minsu Lee <minsu.lee@pleaseai.dev>
Date: Tue, 2 Jun 2026 00:04:04 +0900
Subject: [PATCH 2/2] ci: use tokenless OIDC trusted publishing (drop
 NPM_TOKEN)

Authenticate to npm purely via OIDC: id-token: write mints the token,
a trusted publisher configured on npmjs.com authorizes it. Removes the
NODE_AUTH_TOKEN/NPM_TOKEN secret entirely.

- ensure npm >= 11.5.1 (OIDC trusted-publishing minimum) before publish
- no long-lived registry token in CI
---
 .github/workflows/release-please.yml | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
index c602213..ff79a09 100644
--- a/.github/workflows/release-please.yml
+++ b/.github/workflows/release-please.yml
@@ -47,12 +47,18 @@ jobs:
 
       # npm CLI is the publisher: bun publish supports neither npm OIDC
       # trusted publishing nor --provenance (oven-sh/bun#22423). setup-node
-      # provisions the registry .npmrc and an npm new enough for provenance.
+      # provisions the registry .npmrc; id-token: write + a trusted publisher
+      # configured on npmjs.com let npm authenticate tokenlessly via OIDC.
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
           node-version-file: .nvmrc
           registry-url: https://registry.npmjs.org
 
+      # OIDC trusted publishing requires npm >= 11.5.1; pin to the latest 11.x
+      # in case the runner's bundled npm predates it.
+      - name: Ensure npm supports trusted publishing
+        run: npm install -g npm@^11.5.1
+
       - name: Install dependencies
         run: bun install
 
@@ -70,8 +76,6 @@ jobs:
             bun pm pack
             npm publish pleaseai-eslint-config-*.tgz --provenance --access public
           fi
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish @pleaseai/prettier-config
         if: ${{ needs.release-please.outputs.prettier-config-released == 'true' }}
@@ -84,8 +88,6 @@ jobs:
             bun pm pack
             npm publish pleaseai-prettier-config-*.tgz --provenance --access public
           fi
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish @pleaseai/code-style
         if: ${{ needs.release-please.outputs.code-style-released == 'true' }}
@@ -98,5 +100,3 @@ jobs:
             bun pm pack
             npm publish pleaseai-code-style-*.tgz --provenance --access public
           fi
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}