From 2803fabe41dfbac586bab37f31bfe13ffac1d1de Mon Sep 17 00:00:00 2001
From: jan-kubica <jankubica@protonmail.com>
Date: Wed, 13 May 2026 16:09:37 +0200
Subject: [PATCH 1/2] chore(ci): migrate publish step to npm-publish-hardened
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replaces the inline 50-line publish loop with a call to the shared
composite action introduced in stella/.github#23 and refactored to
the tarball-input shape in stella/.github#25, pinned to SHA
8dfd1bcbf4b1339b515ed359daa4f62970db2cc0.

The composite encodes the same semantics — idempotent npm view check
+ provenance publish + eventual-consistency retry — and additionally
hard-fails if NPM_TOKEN/NODE_AUTH_TOKEN is set in env, since trusted
publishing performs auth via OIDC token exchange and any token in env
would silently short-circuit that path.

Dropped:
- the `NPM_TOKEN: ${{ secrets.NPM_TOKEN }}` env line; token mode is
  no longer supported. Trusted publishing is configured for the
  package on the npm side.
- the inline `.npmrc` token-write step (no longer needed without a
  token to write)
- the inline `publish_tarball()` retry loop (now in the composite)

No functional change for a successful publish. The retry cadence
inside the composite (1+2+3+4+5s = 15s total) is slightly faster than
the previous local one (10+20+30+40+50s = 150s); if npm registry
visibility lag exceeds 15s in practice, we can extend the composite.
---
 .github/workflows/release.yml | 56 ++---------------------------------
 1 file changed, 3 insertions(+), 53 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 309e8a3..75ebb8b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -127,56 +127,6 @@ jobs:
 
       - name: Publish to npm
         if: inputs.publish_to_npm
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          set -euo pipefail
-
-          if [[ -n "${NPM_TOKEN:-}" ]]; then
-            printf "//registry.npmjs.org/:_authToken=%s\n" "$NPM_TOKEN" > "$HOME/.npmrc"
-          fi
-
-          publish_tarball() {
-            local tarball="$1"
-            local package_json
-            local package_name
-            local package_version
-            local attempt
-            local published=false
-
-            tarball="$(realpath "$tarball")"
-            package_json="$(tar -xOf "$tarball" package/package.json)"
-            package_name="$(jq -r '.name' <<<"$package_json")"
-            package_version="$(jq -r '.version' <<<"$package_json")"
-
-            if npm view "${package_name}@${package_version}" version --json >/dev/null 2>&1; then
-              echo "Skipping already-published ${package_name}@${package_version}"
-              published=true
-            fi
-
-            if [[ "$published" != "true" ]]; then
-              for attempt in 1 2 3 4 5; do
-                if npm publish "$tarball" --provenance --access public --tag latest; then
-                  published=true
-                  break
-                fi
-
-                if npm view "${package_name}@${package_version}" version --json >/dev/null 2>&1; then
-                  echo "Detected ${package_name}@${package_version} after publish attempt ${attempt}"
-                  published=true
-                  break
-                fi
-
-                if [[ "$attempt" -eq 5 ]]; then
-                  echo "Failed to publish ${package_name}@${package_version} after ${attempt} attempts" >&2
-                  return 1
-                fi
-
-                sleep $((attempt * 10))
-              done
-            fi
-
-            return 0
-          }
-
-          publish_tarball "${{ steps.pack.outputs.tarball }}"
+        uses: stella/.github/.github/actions/npm-publish-hardened@8dfd1bcbf4b1339b515ed359daa4f62970db2cc0
+        with:
+          tarball: ${{ steps.pack.outputs.tarball }}

From 177a4e5c8356e1473559dbe5dd537e1e428b8f3d Mon Sep 17 00:00:00 2001
From: jan-kubica <jankubica@protonmail.com>
Date: Wed, 13 May 2026 16:35:57 +0200
Subject: [PATCH 2/2] =?UTF-8?q?chore(ci):=20bump=20npm-publish-hardened=20?=
 =?UTF-8?q?to=2024dbde1b=20=E2=80=94=20restores=20npm=20publish=20retry?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 75ebb8b..2a756d7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -127,6 +127,6 @@ jobs:
 
       - name: Publish to npm
         if: inputs.publish_to_npm
-        uses: stella/.github/.github/actions/npm-publish-hardened@8dfd1bcbf4b1339b515ed359daa4f62970db2cc0
+        uses: stella/.github/.github/actions/npm-publish-hardened@24dbde1b56e9488a0f89f3cdb4f2635fb0faa733
         with:
           tarball: ${{ steps.pack.outputs.tarball }}