Automate npm trusted publishing setup via npm trust CLI

[Copilot]

npm/cli#8899 shipped npm trust in npm 11.10.0, enabling CLI-based trusted publishing configuration. This replaces the manual npmjs.com web UI steps with a single command:

npm trust github <package> --file=release.yml --repository=sanity-io/plugins

Workflow (setup-trusted-publish.yml)

• New step echoes the npm trust github CLI command for the user to run locally after the package is created on npm

Generator & templates

• turbo/generators/config.ts: Simplified getSetupInstructions() — workflow steps streamlined, with CLI command replacing the 6-step manual web UI flow
• README.todo.md.hbs: CLI command is primary instruction; manual web UI preserved in a collapsible <details> block

Documentation

• CONTRIBUTING.md: Both "new package" and "existing package" sections updated to lead with CLI command
• AGENTS.md: Trusted publishing quick reference updated

Original prompt

Investigate if npm/cli#8899 means we can automatically setup trusted publishing correctly instead of referring to the npm settings listings pages with manual instructions for filling in the form.

If it works, update workflows that currently point to manual steps to either fully automate it or give instructions on what npm version to have, and what command to run.
It's better if the automation can do it and instead only do an npm version check and warn the user need to update npm and what steps to run after, if it's on the right version then simply update it without bugging the user

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
plugins-studio	Ready	Preview, Comment	Mar 5, 2026 8:16am

[changeset-bot]

⚠️ No Changeset found

Latest commit: 56cedf6

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[Copilot]

Pull request overview

Updates the repository’s trusted publishing setup guidance to use the new npm trust github CLI flow (npm >= 11.10.0), replacing most manual npmjs.com UI steps with a single command while keeping a manual fallback.

Changes:

• Updated scaffolding instructions/templates to lead with npm trust github <package> --file=release.yml --repository=sanity-io/plugins.
• Updated contributor/agent docs to reflect the CLI-first flow, with manual UI steps moved under <details>.
• Updated the “setup-trusted-publish” workflow to echo the CLI command after creating the initial package.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
turbo/generators/templates/README.todo.md.hbs	CLI-first trusted publishing instructions for generated plugin TODO README, with manual fallback in <details>.
turbo/generators/config.ts	Simplifies generator “package doesn’t exist yet” instructions to point to npm trust github.
CONTRIBUTING.md	Updates new/existing package guidance to use npm trust github, preserves manual fallback in <details>.
AGENTS.md	Updates trusted publishing quick reference to use the CLI command.
.github/workflows/setup-trusted-publish.yml	Adds a post-step that prints the npm trust github command to run locally.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.