Fix npm publish using trusted publishing with OIDC authentication

[Copilot]

Description

Workflow failed with 404 Not Found - 'qlaw-cli@0.1.2' is not in this registry because the package doesn't exist on npm yet. This PR configures the workflow to use npm Trusted Publishing with GitHub Actions OIDC authentication, eliminating the need for stored npm tokens.

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Code refactoring
• Performance improvement
• Test addition or update
• Dependency update

Related Issues

Fixes the npm publish failure in workflow runs

Changes Made

Workflow Configuration

• Uses OIDC trusted publishing (no npm tokens required)
• Added --access public flag to npm publish command
• Maintains --provenance flag for supply chain security
• Keeps id-token: write permission for GitHub OIDC authentication

Documentation

• Created comprehensive docs/PUBLISHING.md with trusted publishing setup guide
• Includes step-by-step npmjs.com configuration instructions
• Covers OIDC authentication explanation and benefits
• Provides troubleshooting for trusted publishing issues
• Documents security benefits and provenance attestation
• Added publishing guide link to README

Screenshots (if applicable)

N/A - Workflow configuration changes

Testing

Test Configuration

• OS: Ubuntu (GitHub Actions)
• Terminal: N/A
• Bun Version: latest

Test Cases

• Ran type checking (bun run typecheck)
• Validated YAML syntax
• Verified package.json integrity
• CodeQL security scan (0 vulnerabilities)
• Verified OIDC permissions are correctly configured
• Other: Actual publish requires trusted publisher configuration on npmjs.com

Checklist

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published
• I have checked my code and corrected any misspellings
• I have updated the CHANGELOG.md file (if applicable)

Breaking Changes

None. Workflow uses modern OIDC authentication. Requires one-time trusted publisher configuration on npmjs.com.

Additional Notes

Repository owner must configure trusted publishing on npmjs.com:

1. Go to https://www.npmjs.com/package/qlaw-cli/settings (after initial publish or package creation)
2. Add GitHub Actions as trusted publisher with:
   • Organization: Qredence
   • Repository: qlaw-cli
   • Workflow: publish.yml
   • Environment (optional): release
3. Future publishes happen automatically via GitHub Actions using OIDC

For first-time publish:

• Option 1: Manually publish once locally (npm publish --access public), then configure trusted publishing
• Option 2: Create package on npmjs.com, configure trusted publishing, then run workflow

Security Benefits:

• No npm tokens stored in GitHub Secrets
• Short-lived, cryptographically signed OIDC credentials
• Zero risk of token leakage
• Automatic provenance attestation for supply chain security

Reference: https://docs.npmjs.com/trusted-publishers

Provenance attestation (--provenance) maintained for supply chain security.

Reviewer Checklist

• Code quality is acceptable
• Tests are adequate
• Documentation is updated
• No security concerns
• Performance impact is acceptable
• Breaking changes are justified and documented

Original prompt

The job failed during the npm publish step with the error:

npm error 404 Not Found - PUT https://registry.npmjs.org/qlaw-cli - Not found
npm error 404  'qlaw-cli@0.1.2' is not in this registry.

This means the npm registry does not recognize the package name qlaw-cli. Common causes are:

1. The package name is not yet created/registered on npm.
2. The publishing user does not have permission to publish this package (ownership not granted).
3. The publish command is being run from a directory without a valid package.json, or with a mismatching name field.

Solution:

• Check that the name field in package.json exactly matches the npm package (qlaw-cli).
• If this is a new name, register it manually with npm (npm publish --access public once locally, authorized with your account).
• Verify that GitHub Actions is authorized as an owner/maintainer of qlaw-cli on npm.
• Make sure you're publishing from the root directory of the package, and package.json exists and is valid.
• If Trusted Publishing (OIDC) is set up, ensure that the npm organization/account has enabled this and linked your GitHub repository as described in npm docs and trusted publishing setup.

If this is the first publish for qlaw-cli:

• Log in locally with your npm account, create the package with npm publish --access public, then re-run the workflow.

If qlaw-cli exists:

• Verify the publishing permissions for your GitHub Actions workflow by checking the npm package's access list.

Update the workflow or npm configuration to address these causes. If you need help with a specific step, please provide your package.json contents.

Created from VS Code via the GitHub Pull Request extension.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Zochory]

@copilot Don't use NPM token use trusted publisher https://docs.npmjs.com/trusted-publishers

[Copilot]

@copilot Don't use NPM token use trusted publisher https://docs.npmjs.com/trusted-publishers

Done! Reverted to use npm trusted publishing with OIDC authentication. The workflow now uses GitHub's OIDC tokens instead of NPM_TOKEN.

Key changes in commit d1aab64:

• Removed NODE_AUTH_TOKEN/NPM_TOKEN approach
• Added --access public flag to npm publish
• Rewrote docs/PUBLISHING.md with trusted publishing setup instructions

The maintainer needs to configure the trusted publisher on npmjs.com (detailed steps in PUBLISHING.md) - no GitHub secrets required.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.npmjs.com
  • Triggering command: curl -s REDACTED (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[Copilot]

Pull Request Overview

This PR adds comprehensive documentation for publishing the qlaw-cli package to npm using modern npm Trusted Publishing with GitHub Actions OIDC authentication, and updates the publish workflow to include the --access public flag.

Key Changes

• New publishing guide documenting the npm Trusted Publishing setup and workflow
• Updated GitHub Actions workflow to add --access public flag to the npm publish command
• Added reference to the publishing guide in the README for maintainers

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

File	Description
docs/PUBLISHING.md	Comprehensive guide covering npm Trusted Publishing setup, publishing process, troubleshooting, security features, and version management
.github/workflows/publish.yml	Added --access public flag to npm publish command to ensure package is published as public
README.md	Added link to the new publishing guide in the Contributing section
bun.lock	Normal Bun lockfile update adding configVersion field

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.