From 522f41a6c593429c352e5e9e1769c36087b0b93c Mon Sep 17 00:00:00 2001
From: Felix Weinberger <fweinberger@anthropic.com>
Date: Wed, 1 Apr 2026 14:55:02 +0000
Subject: [PATCH 1/2] chore(ci): switch publish to OIDC trusted publishing

---
 .github/workflows/main.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 1f64aab3e..9635abd52 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -59,7 +59,6 @@ jobs:
               with:
                   node-version: 24
                   cache: npm
-                  registry-url: 'https://registry.npmjs.org'
 
             - run: npm ci
 
@@ -85,5 +84,3 @@ jobs:
                   fi
 
             - run: npm publish --provenance --access public ${{ steps.npm-tag.outputs.tag }}
-              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From a71bbe9b65b66910daed057965279525035fb6d5 Mon Sep 17 00:00:00 2001
From: Felix Weinberger <fweinberger@anthropic.com>
Date: Thu, 9 Apr 2026 12:47:26 +0000
Subject: [PATCH 2/2] ci: pin npm@11.5.1 for OIDC publish (parity with #1838)

---
 .github/workflows/main.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 9635abd52..453a5f8e5 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -62,6 +62,9 @@ jobs:
 
             - run: npm ci
 
+            - name: Ensure npm CLI supports OIDC trusted publishing
+              run: npm install -g npm@11.5.1
+
             - name: Determine npm tag
               id: npm-tag
               run: |