From 4cd02e0d097aaf7efe3241917e84a20cafac570e Mon Sep 17 00:00:00 2001
From: Sambhav Aggarwal <4591834+sambhav-aggarwal@users.noreply.github.com>
Date: Sun, 3 May 2026 15:01:52 +0530
Subject: [PATCH] Fix OIDC auth: drop registry-url from setup-node, add
 publishConfig
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

actions/setup-node@v4 with registry-url writes
'//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}' into .npmrc.
With NODE_AUTH_TOKEN unset (we use OIDC, not a token), npm sees a
literal placeholder as the auth header and bails with 404 — never
attempting the trusted-publishing OIDC exchange.

Removing registry-url leaves .npmrc clean so npm CLI can fall through
to the OIDC flow. Add publishConfig to package.json so the registry
and access level are recorded in the package itself, and drop --access
public from the workflow command (now redundant). Bump Node to 22.x.
---
 .github/workflows/publish.yml | 5 ++---
 package-lock.json             | 4 ++--
 package.json                  | 6 +++++-
 3 files changed, 9 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b7589e6..7c18d0e 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -15,9 +15,8 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20.x
-          registry-url: 'https://registry.npmjs.org'
+          node-version: 22.x
           cache: npm
       - run: npm ci
       - run: npm run build
-      - run: npm publish --access public --provenance
+      - run: npm publish --provenance
diff --git a/package-lock.json b/package-lock.json
index b625c1c..378d5a5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@ssntpl/otper-cli",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@ssntpl/otper-cli",
-      "version": "0.1.2",
+      "version": "0.1.3",
       "license": "MIT",
       "dependencies": {
         "@oclif/core": "^4.0.30",
diff --git a/package.json b/package.json
index 8ef3050..befb475 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@ssntpl/otper-cli",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "description": "Command-line interface for Otper boards (https://otper.com).",
   "author": "SSNTPL <info@ssntpl.com>",
   "license": "MIT",
@@ -32,6 +32,10 @@
   "engines": {
     "node": ">=18"
   },
+  "publishConfig": {
+    "access": "public",
+    "registry": "https://registry.npmjs.org/"
+  },
   "scripts": {
     "build": "shx rm -rf dist && tsc",
     "lint": "tsc --noEmit",