refactor: use OIDC publishing and remove alpha tag handling

Switch to OIDC-based npm trusted publishing (provenance) instead of
static NPM_TOKEN for publishing. This matches the sanity-io/.github
shared workflow pattern used by next-sanity.

Changes:
- Use id-token: write permission for OIDC npm provenance
- Set NPM_CONFIG_PROVENANCE for public repos
- Update npm to latest for trusted publishing support
- Setup git user from GitHub App bot identity
- Remove scripts/publish.mjs (no more per-package tag handling)
- Use changeset publish directly (all packages publish as latest)
- Remove pre-release/alpha references from docs

Co-Authored-By: Claude <noreply@anthropic.com>

Author: binoy14

.github/workflows/release.yml

@@ -16,17 +16,23 @@ concurrency:
   cancel-in-progress: false
 
 permissions:
-  contents: write
-  pull-requests: write
+  contents: read # for checkout
+  id-token: write # to enable use of OIDC for npm provenance
 
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: read # for checkout
+      id-token: write # to enable use of OIDC for npm provenance
     outputs:
       published: ${{ steps.changesets.outputs.published }}
       publishedPackages: ${{ steps.changesets.outputs.publishedPackages }}
       hasChangesets: ${{ steps.changesets.outputs.hasChangesets }}
+    env:
+      TURBO_TOKEN: ${{ secrets.TURBO_TOKEN }}
+      TURBO_TEAM: ${{ vars.TURBO_TEAM }}
     steps:
       - name: Generate GitHub App Token
         id: generate_token
@@ -37,35 +43,59 @@ jobs:
 
       - name: Checkout
         uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+          token: ${{ steps.generate_token.outputs.token }}
+          persist-credentials: false
+
+      - name: Get app token user id
+        id: get-user-id
+        run: echo "user-id=$(gh api "/users/${{ steps.generate_token.outputs.app-slug }}[bot]" --jq .id)" >> "$GITHUB_OUTPUT"
+        env:
+          GH_TOKEN: ${{ steps.generate_token.outputs.token }}
+
+      - name: Setup git user
+        run: |
+          git config --global user.name '${{ steps.generate_token.outputs.app-slug }}[bot]'
+          git config --global user.email '${{ steps.get-user-id.outputs.user-id }}+${{ steps.generate_token.outputs.app-slug }}[bot]@users.noreply.github.com'
 
       - name: Setup Environment
         uses: ./.github/actions/setup
         with:
           node-version: 20
 
-      - name: Set publishing config
-        run: pnpm config set '//registry.npmjs.org/:_authToken' "${NODE_AUTH_TOKEN}"
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+      - name: Update npm to use trusted publishing (OIDC)
+        run: npm install -g npm@latest
+
+      - name: Authenticate with private npm
+        if: ${{ secrets.NPM_PUBLISH_TOKEN != '' }}
+        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_PUBLISH_TOKEN }}" > ~/.npmrc
+
+      - run: pnpm install
+
+      - name: Remove npm auth
+        if: ${{ secrets.NPM_PUBLISH_TOKEN != '' }}
+        run: rm -f ~/.npmrc
 
       - name: Create Release Pull Request or Publish
         id: changesets
-        uses: changesets/action@v1
+        uses: changesets/action@c48e67d110a68bc90ccf1098e9646092baacaa87 # v1.6.0
         with:
           version: pnpm version-packages
           publish: pnpm release
           title: 'chore: version packages'
           commit: 'chore: version packages'
           createGithubReleases: true
+          setupGitUser: false
         env:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+          NPM_CONFIG_PROVENANCE: ${{ github.event.repository.visibility == 'public' && 'true' || 'false' }}
 
       - name: Force Publish
         if: ${{ github.event.inputs.publish == 'true' && steps.changesets.outputs.hasChangesets == 'false' }}
         run: pnpm release
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+          NPM_CONFIG_PROVENANCE: ${{ github.event.repository.visibility == 'public' && 'true' || 'false' }}
 
       - name: Summary
         if: ${{ steps.changesets.outputs.published == 'true' || github.event.inputs.publish == 'true' }}

CONTRIBUTING.md

@@ -1008,9 +1008,9 @@ If you need to force-publish without new changesets:
 3. Check **Force publish packages to NPM**
 4. Click **Run workflow**
 
-### Pre-releases
+### npm Dist Tags
 
-`@sanity/cli` is currently published with the `alpha` npm dist tag. Other packages (`@sanity/cli-core`, `@sanity/cli-test`, `@sanity/eslint-config-cli`) publish with the `latest` tag.
+All packages publish with the `latest` npm dist tag.
 
 ## Resources
 

package.json

@@ -34,7 +34,7 @@
     "extract-commands": "turbo run extract-commands",
     "format": "prettier --write .",
     "prepare": "husky",
-    "publish-packages": "node scripts/publish.mjs",
+    "publish-packages": "changeset publish",
     "publint": "turbo run publint",
     "pretest": "pnpm run build:cli",
     "release": "pnpm build:cli && pnpm publish-packages",