revert to npm trusted publishing

[ns212]

This pull request updates the GitHub Actions workflows for publishing to npm, focusing on upgrading the versions of key actions and modifying the way environment variables are handled during the publish steps.

Workflow Action Upgrades:

• Updated the actions/checkout and actions/setup-node actions from version v4 to v6 in the cli-npm.yml workflow to use the latest features and security updates.

Environment Variable Handling:

• Removed the explicit setting of the NODE_AUTH_TOKEN environment variable in the publish steps of both cli-npm.yml and sdk-npm.yml, which may indicate a shift to relying on default authentication mechanisms or configuration elsewhere in the workflow. [1] [2]

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
bob-docs	Ready	Preview, Comment	Mar 30, 2026 7:38pm

[Copilot]

Pull request overview

Updates the npm publishing GitHub Actions workflows to rely on npm trusted publishing (OIDC) rather than passing an npm token via NODE_AUTH_TOKEN, while also bumping core GitHub Actions versions.

Changes:

• Upgraded actions/checkout and actions/setup-node to v6 in the CLI publish workflow.
• Removed NODE_AUTH_TOKEN from the npm publish steps in both SDK and CLI workflows (shifting auth expectations to OIDC/trusted publishing).

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/cli-npm.yml	Upgrades actions versions and removes token-based npm auth for publishing (expects OIDC/trusted publishing).
.github/workflows/sdk-npm.yml	Removes token-based npm auth for publishing (expects OIDC/trusted publishing).

Comments suppressed due to low confidence (2)

.github/workflows/sdk-npm.yml:50

• After removing NODE_AUTH_TOKEN, this workflow no longer configures any npm registry authentication (no _authToken in repo and no token env var here). Unless @gobob/bob-sdk is configured for npm/GitHub trusted publishing and the publish command is using the OIDC-based flow, npm publish will fail with an auth error. Consider either adding --provenance (to align with cli-npm.yml and explicitly use the OIDC/provenance path) or restoring NODE_AUTH_TOKEN for this workflow.

      - name: publish to npm
        if: env.PUBLISH == 'true'
        run: |
          if [[ "${{ steps.version.outputs.version }}" == *rc* ]]; then
            npm publish --access public --tag rc
          else
            npm publish --access public

.github/workflows/cli-npm.yml:76

• This publish step no longer provides NODE_AUTH_TOKEN, so npm authentication now depends entirely on npm/GitHub trusted publishing (OIDC). If @gobob/gateway-cli is not configured for trusted publishing in npm, this workflow will start failing with 401s; consider adding a short comment/link to the expected npm setup or restoring token-based auth.

      - name: Publish
        if: env.PUBLISH == 'true'
        run: |
          if [[ "${{ steps.version.outputs.version }}" == *rc* ]]; then
            npm publish --access public --provenance --tag rc
          else
            npm publish --access public --provenance
          fi

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.