chore: update GH actions to use trusted publisher

[Raubzeug]

Greptile Overview

Greptile Summary

This PR attempts to migrate the npm publication workflow from secrets-based authentication to OIDC-based "Trusted Publishing". The changes add the required permissions (id-token: write, contents: write, packages: write) for OIDC token generation.

• Added permissions block with necessary OIDC and GitHub token permissions
• Replaced secrets.NODE_AUTH_TOKEN with empty string values

Critical Issue: Setting NODE_AUTH_TOKEN: '' and NPM_TOKEN: '' to empty strings will likely break npm authentication. For OIDC trusted publishing to work, these environment variables should be removed entirely, allowing setup-node action to handle OIDC token generation automatically.

Confidence Score: 1/5

• This PR may break npm publishing due to incorrect OIDC token handling configuration
• Low confidence because setting NODE_AUTH_TOKEN to empty string will likely prevent successful npm publishing. The OIDC trusted publishing setup requires these env vars to be absent, not empty.
• .github/workflows/publication.yml - the NODE_AUTH_TOKEN configuration needs to be corrected

Important Files Changed

File Analysis

Filename	Score	Overview
.github/workflows/publication.yml	1/5	Updated workflow to use OIDC-based trusted publishing for npm, but setting NODE_AUTH_TOKEN to empty string may break authentication since OIDC still needs token handling by setup-node.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant SN as setup-node Action
    participant NPM as npm Registry
    participant OIDC as GitHub OIDC Provider

    GH->>SN: Configure node with registry-url
    Note over GH: id-token: write permission granted
    GH->>NPM: npm publish
    Note over NPM: NODE_AUTH_TOKEN='' (empty)
    NPM-->>GH: ❌ Authentication Failed
    Note right of NPM: Empty token prevents<br/>both secret-based and<br/>OIDC authentication

Loading

CI Results

Test Status: ⚠️ FLAKY

📊 Full Report

Total	Passed	Failed	Flaky	Skipped
378	373	0	3	2

Test Changes Summary ⏭️2

⏭️ Skipped Tests (2)

1. Scroll to row, get shareable link, navigate to URL and verify row is scrolled into view (tenant/diagnostics/tabs/queries.test.ts)
2. Copy result button copies to clipboard (tenant/queryEditor/queryEditor.test.ts)

Bundle Size: ✅

Current: 62.33 MB | Main: 62.33 MB
Diff: 0.00 KB (0.00%)

✅ Bundle size unchanged.

ℹ️ CI Information

• Test recordings for failed tests are available in the full report.
• Bundle size is measured for the entire 'dist' directory.
• 📊 indicates links to detailed reports.
• 🔺 indicates increase, 🔽 decrease, and ✅ no change in bundle size.

[Copilot]

Pull request overview

This PR updates the publication workflow to use npm's OIDC trusted publisher authentication instead of token-based authentication. This change improves security by eliminating the need to store long-lived npm tokens as secrets and enables automated provenance generation for published packages.

Key changes:

• Added workflow-level permissions for id-token, contents, and packages to enable OIDC authentication
• Replaced the NODE_AUTH_TOKEN secret with empty string values for both NODE_AUTH_TOKEN and NPM_TOKEN

[Copilot]

When using npm's trusted publisher (OIDC), empty strings should not be set for authentication tokens. These environment variables should either be omitted entirely or removed from the workflow. Setting them to empty strings serves no purpose and may cause confusion.

Remove these lines:

env:
  NODE_AUTH_TOKEN: ''
  NPM_TOKEN: ''

[Copilot]

When using npm's trusted publisher with OIDC authentication, the npm publish command should include the --provenance flag to generate build provenance attestations. This is a key security benefit of trusted publishers.

Add the provenance flag:

- run: npm publish --provenance

This ensures that the published package includes provenance information that verifies the package was built by this specific GitHub Actions workflow.

Suggested change

	- run: npm publish
	- run: npm publish --provenance

[Copilot]

The packages: write permission is not needed for publishing to npm. This permission is for GitHub Packages (ghcr.io), not npm registry. For npm publishing with trusted publisher, only id-token: write and contents: write (for release upload) are necessary.

Consider removing the unnecessary permission:

permissions:
  contents: write
  id-token: write

Suggested change

packages: write

[greptile-apps]

_{1 file reviewed, 1 comment}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

logic: Setting NODE_AUTH_TOKEN and NPM_TOKEN to empty strings will break npm authentication. For OIDC-based trusted publishing, these environment variables should be removed entirely rather than set to empty strings. The setup-node action with id-token: write permission will handle OIDC token generation automatically, but only if NODE_AUTH_TOKEN isn't explicitly overridden.

Remove these lines and let setup-node handle authentication:

Suggested change

	NODE_AUTH_TOKEN: ''
	NPM_TOKEN: ''

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/publication.yml
Line: 26:27

Comment:
**logic:** Setting `NODE_AUTH_TOKEN` and `NPM_TOKEN` to empty strings will break npm authentication. For OIDC-based trusted publishing, these environment variables should be **removed entirely** rather than set to empty strings. The `setup-node` action with `id-token: write` permission will handle OIDC token generation automatically, but only if `NODE_AUTH_TOKEN` isn't explicitly overridden.

Remove these lines and let `setup-node` handle authentication:

```suggestion
```

How can I resolve this? If you propose a fix, please make it concise.