Goal: stop npm publish tokens from expiring by migrating CI publishing to npm trusted publishing (OIDC). No stored token, nothing to rotate.
Context: NPM_TOKEN expiry email received 2026-07-09. npm granular write tokens are capped at 90 days and classic tokens are revoked, so rotation emails are permanent unless we go tokenless.
PR plan
Manual steps (npmjs.com, browser — Elberte)
Configure GitHub Actions trusted publisher on each package (Settings → Trusted Publisher):
Cleanup
Ordering note: merging the PRs is safe before the npmjs.com config (publish only runs on tags), but a tag pushed after merge and before trusted-publisher config will fail to publish. Do the browser steps first.
Current status: Planned
Next action: PR 1
Goal: stop npm publish tokens from expiring by migrating CI publishing to npm trusted publishing (OIDC). No stored token, nothing to rotate.
Context:
NPM_TOKENexpiry email received 2026-07-09. npm granular write tokens are capped at 90 days and classic tokens are revoked, so rotation emails are permanent unless we go tokenless.PR plan
publish.yml→ OIDC.github/workflows/publish.yml(addid-token: write, dropNODE_AUTH_TOKEN)release.yml→ OIDC.github/workflows/release.yml(addid-token: write, dropNODE_AUTH_TOKEN, Node 20 → 24 for npm ≥ 11.5.1)Manual steps (npmjs.com, browser — Elberte)
Configure GitHub Actions trusted publisher on each package (Settings → Trusted Publisher):
pickforge/pickforge-platform, workflowpublish.ymlpickforge/picklab, workflowrelease.ymlCleanup
NPM_TOKENsecret on pickforge-platformNPM_TOKENsecret on picklabOrdering note: merging the PRs is safe before the npmjs.com config (publish only runs on tags), but a tag pushed after merge and before trusted-publisher config will fail to publish. Do the browser steps first.
Current status: Planned
Next action: PR 1