From f3df8f5f26a9d35f570252d360d52f81ccc0fdac Mon Sep 17 00:00:00 2001
From: Hunter Bown <hmbown@gmail.com>
Date: Fri, 24 Apr 2026 16:13:59 -0500
Subject: [PATCH] ci: publish npm with trusted publishing

---
 .github/workflows/publish-npm.yml |  6 ++----
 .github/workflows/release.yml     | 10 ++++------
 docs/RELEASE_RUNBOOK.md           |  9 ++++++++-
 3 files changed, 14 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 6881f0e0..a9b7f0b8 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -21,7 +21,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
       - name: Verify package version
         working-directory: npm/deepseek-tui
@@ -34,6 +34,4 @@ jobs:
           fi
       - name: Publish wrapper to npm
         working-directory: npm/deepseek-tui
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --provenance --access public
+        run: npm publish --access public
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b713f267..08a25ba6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -119,8 +119,8 @@ jobs:
   publish-npm:
     needs: release
     runs-on: ubuntu-latest
-    # Trusted Publishing via OIDC — no NPM_TOKEN required.
-    # Configure the trusted publisher on the npm package settings page.
+    # Trusted Publishing via OIDC. Configure npm to trust this workflow
+    # filename (`release.yml`) for Hmbown/DeepSeek-TUI.
     permissions:
       contents: read
       id-token: write
@@ -128,10 +128,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
       - name: Publish wrapper to npm
         working-directory: npm/deepseek-tui
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --provenance --access public
+        run: npm publish --access public
diff --git a/docs/RELEASE_RUNBOOK.md b/docs/RELEASE_RUNBOOK.md
index 6a2045b0..30dd85b7 100644
--- a/docs/RELEASE_RUNBOOK.md
+++ b/docs/RELEASE_RUNBOOK.md
@@ -132,7 +132,11 @@ release verification script both depend on that checksum manifest.
 
 1. Set the npm package version in [npm/deepseek-tui/package.json](../npm/deepseek-tui/package.json).
 2. Set `deepseekBinaryVersion` to the GitHub release tag that should supply binaries.
-3. Run:
+3. For GitHub Actions publishing, configure npm Trusted Publishing for:
+   - Publisher: GitHub Actions
+   - Repository: `Hmbown/DeepSeek-TUI`
+   - Workflow filename: `release.yml`
+4. Run:
 
 ```bash
 cd npm/deepseek-tui
@@ -141,6 +145,9 @@ npm publish
 ```
 
 `prepublishOnly` verifies that all expected release assets and the checksum manifest exist.
+The tag release workflow publishes through npm Trusted Publishing, so it does
+not use `NPM_TOKEN`. npm requires Node 22.14.0+ and npm 11.5.1+ for that OIDC
+path; the workflow uses Node 24.
 
 ## Recovery and Rollback