Merge pull request #32 from phantom/jack/npm-token-publishing

fix: Revert to previous flow to unblock release

Author: jackw-phantom

.github/workflows/release.yml

@@ -5,48 +5,38 @@ on:
     branches:
       - master
 
-concurrency: ${{ github.workflow }}-${{ github.ref }}
-
 permissions:
   contents: write
   pull-requests: write
-  # OIDC
-  id-token: write
 
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
-    env:
-      # Force npm to emit provenance (SLSA) when publishing via OIDC.
-      NPM_CONFIG_PROVENANCE: true
-
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
 
-      - name: Setup Node.js 24.x
-        uses: actions/setup-node@v4
-        with:
-          node-version: 24.x
-
-      - name: Ensure npm 11.5.1+ for trusted publishing
-        run: npm install -g npm@^11.8.0
-
       - name: Enable Corepack
         run: corepack enable
 
+      - name: Setup Node.js 20.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20.x
+          cache: "yarn"
+          registry-url: "https://registry.npmjs.org"
+
       - name: Install Dependencies
-        run: yarn
+        run: yarn install --immutable
 
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba
         with:
-          # This expects you to have a script called release which does a build for your packages and calls changeset publish
           version: yarn changeset version
           publish: yarn release
           commitMode: github-api
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_CONFIG_PROVENANCE: true
+          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT }}