Replace npm token auth with OIDC trusted publishing

[Copilot]

npm classic tokens were revoked as of December 2025. This updates the CI workflow to use OIDC trusted publishing for npm package publishing.

Changes

• Add id-token: write permission for OIDC authentication
• Add registry-url: 'https://registry.npmjs.org' to actions/setup-node in publish jobs
• Replace JS-DevTools/npm-publish action with direct npm publish CLI command
• Use Node.js 22.x in publish jobs (bundled npm v11.x has OIDC trusted publishing support)
• Move dependabot exclusion checks to job-level if conditions

Required Setup

Configure trusted publisher on npmjs.com for this package:

• Repository: SolidOS/solid-ui
• Workflow filename: ci.yml

Original prompt

On ci.yml, Please update this configuration to replace use of token based authentication with OIDC session management

https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[jeswr]

@copilot please update the workflow to use the npm cli directly as shown in https://docs.npmjs.com/trusted-publishers and remove the use of the JS-DevTools action

[Copilot]

@copilot please update the workflow to use the npm cli directly as shown in https://docs.npmjs.com/trusted-publishers and remove the use of the JS-DevTools action

Updated to use npm publish directly instead of JS-DevTools action. The workflow now installs npm v11.5.1+ (required for OIDC support) and calls npm publish --tag <tag> for both publish jobs. See commit af3d10a.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• docs.npmjs.com
  • Triggering command: /home/REDACTED/work/_temp/ghcca-node/node/bin/node /home/REDACTED/work/_temp/ghcca-node/node/bin/node --enable-source-maps /home/REDACTED/work/_temp/copilot-developer-action-main/dist/index.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

[jeswr]

@copilot Please use actions/setup-node rather than npm i -g npm

[Copilot]

@copilot Please use actions/setup-node rather than npm i -g npm

Updated to use node-version: 22.x in actions/setup-node instead of npm i -g npm. Node.js 22 comes bundled with npm v11.x which supports OIDC trusted publishing. See commit 6b3bb08.