ci: add trusted npm publish workflow

Dmatut7 · Dmatut7 · commit a5f136e4e762 · 2026-06-05T10:07:14.000-07:00
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -0,0 +1,43 @@
+name: Publish
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: read
+  id-token: write
+
+jobs:
+  npm:
+    runs-on: ubuntu-latest
+    if: github.repository == 'Dmatut7/codex-flow'
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: npm
+          registry-url: https://registry.npmjs.org
+
+      - name: Install
+        run: npm ci
+
+      - name: Verify tag matches package version
+        run: |
+          TAG_VERSION="${GITHUB_REF_NAME#v}"
+          PKG_VERSION="$(node -p "require('./package.json').version")"
+          test "$TAG_VERSION" = "$PKG_VERSION"
+
+      - name: Typecheck
+        run: npm run typecheck
+
+      - name: Test
+        run: npm test
+
+      - name: Publish to npm
+        run: npm publish --access public
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+- Added GitHub Actions npm Trusted Publishing workflow so tagged releases can publish without local npm tokens or OTP.
+
 ## 0.2.4 — 2026-06-05
 
 - Added the `parallel-fix` Codex skill and example workflow for proposing independent fixes concurrently, then integrating and verifying serially.
diff --git a/tests/cli.test.ts b/tests/cli.test.ts
@@ -71,6 +71,15 @@ describe("codex-flow cli", () => {
     assert.ok(tsconfig.include?.includes("cli/**/*.ts"), "tsconfig include should cover cli/**/*.ts");
   });
 
+  it("release workflow is configured for npm trusted publishing", async () => {
+    const workflow = await readFile(path.join(repoRoot, ".github", "workflows", "publish.yml"), "utf8");
+
+    assert.match(workflow, /on:\s*\n\s+push:\s*\n\s+tags:\s*\n\s+- ['"]v\*['"]/);
+    assert.match(workflow, /id-token:\s*write/);
+    assert.match(workflow, /npm publish --access public/);
+    assert.doesNotMatch(workflow, /NODE_AUTH_TOKEN|NPM_TOKEN|_authToken/);
+  });
+
   it("smoke tells codex-sdk users to use membership login instead of an API key", () => {
     const hint = unavailableHint("codex-sdk");
     assert.match(hint, /Codex membership/i);
