From 0e2dcc098957e78a9202961d06df77391ba80386 Mon Sep 17 00:00:00 2001
From: ob-aion <ob@coroboros.com>
Date: Wed, 20 May 2026 15:05:18 +0700
Subject: [PATCH] chore(ci): switch to OIDC publish

Drop NPM_PACKAGE_REGISTRY_TOKEN and NPM_EXTRA_CONFIG from the
secrets: block of .github/workflows/ci.yml. The npm Trusted
Publisher form is now configured for @coroboros/uri (GitHub Actions
/ coroboros / uri / ci.yml / no environment) and both repo secrets
have been removed.

The reusable workflow auto-detects the OIDC branch when the token
secret is absent and runs pnpm publish --provenance --no-git-checks.
1.0.1+ publishes via OIDC + provenance, no long-lived token in the
repo. ci.yml now mirrors packages/clone/.github/workflows/ci.yml.
---
 .github/workflows/ci.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 592e6c7..ca5face 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -22,7 +22,5 @@ jobs:
     uses: coroboros/ci/.github/workflows/javascript-npm-packages.yml@v0
     secrets:
       NPM_CONFIG_FILE: ${{ secrets.NPM_CONFIG_FILE }}
-      NPM_EXTRA_CONFIG: ${{ secrets.NPM_EXTRA_CONFIG }}
       NPM_PACKAGE_REGISTRY: ${{ secrets.NPM_PACKAGE_REGISTRY }}
       NPM_PACKAGE_PROXY_REGISTRY: ${{ secrets.NPM_PACKAGE_PROXY_REGISTRY }}
-      NPM_PACKAGE_REGISTRY_TOKEN: ${{ secrets.NPM_PACKAGE_REGISTRY_TOKEN }}