Adopt trusted npm publishing and expand README examples

bmurdock · bmurdock · commit 774b89fa0fca · 2026-04-01T10:10:03.000-05:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -24,7 +24,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
+          node-version: 24
           cache: npm
           registry-url: https://registry.npmjs.org
 
@@ -41,7 +41,7 @@ jobs:
         run: npm pack
 
       - name: Verify npm publish dry-run
-        run: npm publish --dry-run --access public
+        run: npm publish --dry-run
 
   publish:
     if: github.event_name == 'push'
@@ -56,7 +56,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: 20
+          node-version: 24
           cache: npm
           registry-url: https://registry.npmjs.org
 
@@ -70,6 +70,4 @@ jobs:
           npm run build
 
       - name: Publish to npm with provenance
-        run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish
diff --git a/README.md b/README.md
@@ -34,6 +34,31 @@ const api = createClient({
 const user = await api.get<{ id: string; name: string }>('/users/123')
 ```
 
+### JSON request bodies
+
+```ts
+import { createClient } from '@gavoryn/clearfetch'
+
+const api = createClient({
+  baseURL: 'https://api.example.com',
+})
+
+const created = await api.post<{ id: string }>('/users', {
+  json: {
+    name: 'Ada Lovelace',
+    role: 'admin',
+  },
+})
+```
+
+If `json` is provided, clearfetch:
+
+- serializes the value with `JSON.stringify()`
+- sets `Content-Type: application/json` if it is not already present
+- rejects the request with `ConfigError` if `body` is also provided
+
+Use `body` directly only when you want to send a raw payload such as `FormData`, `URLSearchParams`, or pre-serialized text.
+
 ### Extended client defaults
 
 ```ts
@@ -124,6 +149,8 @@ try {
 - `beforeRequest` may mutate headers, but hook option metadata is read-only.
 - Retry support is opt-in and conservative by default.
 - Retry support does not allow streaming request bodies.
+- The `json` helper serializes request bodies and sets `Content-Type: application/json` when absent.
+- `body` and `json` cannot be used together.
 - The package performs no telemetry or hidden network activity beyond the caller's request.
 
 ## Supported runtimes
@@ -148,6 +175,7 @@ The package is ESM-only and does not target legacy runtimes or polyfill-driven e
 - CI also runs a lightweight browser-like test path using `happy-dom` on Node.js `20`.
 - Dependency review is configured for pull requests and manual validation, but requires the relevant GitHub security features to be enabled on the repository.
 - The release workflow supports a non-publishing dry-run path via manual dispatch.
+- npm publishing now uses npm trusted publishing from GitHub Actions instead of a long-lived publish token.
 - Normal releases are expected to publish from GitHub Actions, not from local machines.
 - Release and repository protection policy is documented in [RELEASE.md](./RELEASE.md).
 
@@ -170,4 +198,4 @@ The public package surface is intentionally narrow:
 
 ## Status
 
-`clearfetch` is ready for its initial `1.0.0` release as `@gavoryn/clearfetch`. Project goals and behavior are documented in `PURPOSE.md` and `DESIGN.md`.
+`clearfetch` is published as `@gavoryn/clearfetch`. Project goals and behavior are documented in `PURPOSE.md` and `DESIGN.md`.
diff --git a/RELEASE.md b/RELEASE.md
@@ -45,22 +45,29 @@ Release tags should be annotated and should be signed when practical.
 
 If signed tags are not yet mandatory for every maintainer environment, they should still be treated as the target policy for official releases.
 
-## npm account and token requirements
+## npm account and trusted publishing requirements
 
 The npm account used to administer the package should require 2FA.
 
-Publishing from CI should use an npm automation token stored as the `NPM_TOKEN` GitHub Actions secret for the `npm` environment. That token should have the minimum scope necessary for publishing this package.
+Publishing from CI should use npm trusted publishing through GitHub Actions OIDC, not a long-lived write token.
+
+The npm package settings for `@gavoryn/clearfetch` should define a trusted publisher with:
+
+- organization or user: `bmurdock`
+- repository: `clearfetch`
+- workflow filename: `release.yml`
+- environment name: `npm`
 
 ## GitHub Actions configuration
 
 The release workflow assumes:
 
 - GitHub Actions is enabled for the repository
 - an environment named `npm` exists
-- the `npm` environment contains an `NPM_TOKEN` secret
+- the npm package has a matching trusted publisher configured on npmjs.com
 - maintainers review changes to workflow files with the same care as runtime code
 
-The release workflow uses `id-token: write` so npm provenance can be attached during publish.
+The release workflow uses `id-token: write` so npm can exchange the workflow identity for publish access. When trusted publishing is configured, npm also generates provenance automatically for public packages from public repositories.
 
 ## Runtime and security expectations
 
diff --git a/package.json b/package.json
@@ -40,6 +40,9 @@
   },
   "homepage": "https://github.com/bmurdock/clearfetch#readme",
   "license": "MIT",
+  "publishConfig": {
+    "access": "public"
+  },
   "devDependencies": {
     "@types/node": "^24.5.2",
     "happy-dom": "^20.8.9",
