fix(ci): use OIDC for npm publish instead of token auth

[shaanmajid]

Summary

Correction (2026-04-02): The original description incorrectly states that NODE_AUTH_TOKEN causes npm to skip OIDC. In fact, npm's publish codepath attempts OIDC first and overwrites any existing auth token on success (source). Trusted Publishing was already configured and working for v1.13.4 through v1.14.0 (verifiable via registry data). As such, the PR title is incorrect -- OIDC was already being used for v1.x releases. This PR's code change doesn't functionally change anything immediately -- it removes a dead fallback variable that was already being overwritten by OIDC. It does prevent the token from being accidentally used in the future (e.g., if Trusted Publishing were ever misconfigured and the OIDC exchange failed silently).

Remove NODE_AUTH_TOKEN so npm authenticates via OIDC instead of a long-lived token. When NODE_AUTH_TOKEN is set, npm uses it and skips OIDC entirely, so removing it is the only code change needed to enable Trusted Publishing. Some maintainer-side configuration on npmjs.com and GitHub is also required (see checklist below).

The workflow already has id-token: write and --provenance.

Resolves #7055.

Maintainer steps (before merge)

npm will reject publishes until the trusted publisher is configured, so these need to happen first:

npmjs.com

• Package Settings -> Trusted Publisher -> GitHub Actions: org axios, repo axios, workflow publish.yml, environment blank
• Package Settings -> Publishing access -> "Require two-factor authentication and disallow tokens (recommended)"
• Profile -> Access Tokens -> revoke everything
• Confirm 2FA is enabled on all accounts with publish access

GitHub

• Settings -> Secrets and variables -> Actions -> delete NPM_TOKEN

Follow-up: tag protection

There currently appear to be no tag protection rules or rulesets on v*.*.* tags, so any org member with write access could push a tag and trigger a publish. Worth considering a tag ruleset restricting who can create version tags, or a GitHub Environment with required reviewers on the publish job, or both.

Test plan

• After configuring the trusted publisher on npmjs, test with a prerelease tag to confirm OIDC works

---

Summary by cubic

Switch npm publish to OIDC Trusted Publishing by removing NODE_AUTH_TOKEN and reducing workflow permissions to least privilege. This improves security, removes long‑lived tokens, and preserves provenance on releases.

Description

• Summary of changes

  • Removed NODE_AUTH_TOKEN from .github/workflows/publish.yml so npm uses OIDC.
  • Reduced permissions to contents: read and kept id-token: write.
  • Kept npm publish --provenance.

• Reasoning

  • npm ignores OIDC when NODE_AUTH_TOKEN is set; removing it enables Trusted Publishing.
  • Least-privilege permissions lower risk on the publish job.

• Additional context

  • Requires one-time maintainer setup before merge; see Docs.
  • Consider protecting v1.*.* tags or using a publish Environment with reviewers.

Docs

• On npmjs.com

  • Package Settings → Trusted Publisher → GitHub Actions: org axios, repo axios, workflow publish.yml.
  • Require 2FA and disallow tokens for publishing.
  • Revoke any legacy access tokens.
  • Ensure 2FA on all publisher accounts.

• On GitHub

  • Settings → Actions secrets: remove NPM_TOKEN.
  • Workflow permissions: contents: read, id-token: write (already set in workflow).
  • Optional: add tag protection or a publish Environment with required reviewers.

Testing

• No code tests changed; this only updates CI.
• Validation plan
  • After setup, run a prerelease publish from a test tag.
  • Confirm publish succeeds without NODE_AUTH_TOKEN and provenance appears on npmjs.com.
  • Check workflow logs for OIDC authentication and minimal contents scope.

^{Written for commit f5ef404. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 1 file

Confidence score: 5/5

• Automated review surfaced no issues in the provided summaries.
• No files require special attention.