From 300a3fdc147fa0890bb8063bc3ed07d50777acd5 Mon Sep 17 00:00:00 2001
From: justsisyphus <justsisyphus@users.noreply.github.com>
Date: Fri, 30 Jan 2026 12:33:51 +0900
Subject: [PATCH] fix(ci): remove .npmrc to enable pure OIDC auth for npm
 publish

---
 .github/workflows/publish-platform.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish-platform.yml b/.github/workflows/publish-platform.yml
index 9b6c35c9f..8ca947eb7 100644
--- a/.github/workflows/publish-platform.yml
+++ b/.github/workflows/publish-platform.yml
@@ -192,24 +192,28 @@ jobs:
         if: steps.check.outputs.skip != 'true'
         with:
           node-version: "24"
+          registry-url: "https://registry.npmjs.org"
 
       - name: Publish ${{ matrix.platform }}
         if: steps.check.outputs.skip != 'true'
         run: |
           cd packages/${{ matrix.platform }}
           
+          # Remove .npmrc created by setup-node to enable pure OIDC auth
+          # setup-node adds //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
+          # which breaks OIDC when NODE_AUTH_TOKEN is empty
+          rm -f ~/.npmrc
+          
           TAG_ARG=""
           if [ -n "${{ inputs.dist_tag }}" ]; then
             TAG_ARG="--tag ${{ inputs.dist_tag }}"
           fi
           
           # Publish with provenance (OIDC authentication)
-          # Increased timeout for large binary uploads (40-120MB)
+          # npm 11.5.1+ auto-detects OIDC environment
           npm publish --access public --provenance $TAG_ARG
         env:
-          # Use OIDC - no NODE_AUTH_TOKEN needed
           NPM_CONFIG_PROVENANCE: "true"
-          # Increase timeout for large packages (10 minutes)
           npm_config_fetch_timeout: "600000"
           npm_config_fetch_retry_maxtimeout: "120000"
         timeout-minutes: 15