From 33a31d37fa64c003e3ae942a811aa64cccc61327 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pedro=20Brand=C3=A3o?= <pedro@significa.co>
Date: Mon, 25 May 2026 22:50:23 +0100
Subject: [PATCH] publish: use npm for publishing instead of pnpm

pnpm publish does not perform the OIDC token exchange that npm trusted
publishing requires. The 0.2.0 release failed with ENEEDAUTH because
pnpm fell straight through to legacy token auth, ignoring the
id-token: write permission.

Keep pnpm for install (lockfile compat). Use npm only for the publish
step. Update npm to latest first since node 22's bundled npm is older
than the trusted-publishing release (11.5.1+).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 661158e..2bbfba3 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -18,6 +18,9 @@ jobs:
 
       - uses: jdx/mise-action@v2
 
+      - name: Update npm to a version with trusted publishing
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
@@ -36,4 +39,4 @@ jobs:
 
       - name: Publish to npm
         working-directory: ${{ steps.pkg.outputs.dir }}
-        run: pnpm publish --no-git-checks --access=public --provenance
+        run: npm publish --access=public --provenance