From 8fe1c02e29e590a996a00437d35e1ea491a6f8f7 Mon Sep 17 00:00:00 2001
From: feugy <damien@vercel.com>
Date: Fri, 19 Jun 2026 17:22:12 +0200
Subject: [PATCH 1/2] fix(ci): publish to npm via OIDC trusted publishing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The elevated npm token (NPM_TOKEN_ELEVATED) can no longer be used, so the
release job's npm authentication is broken. Switch to npm Trusted Publishing
(OIDC), the same mechanism used by vercel/flags and vercel/front — without
adopting changesets.

- grant `id-token: write` on the release job so the runner can mint an OIDC
  token (the job previously had no permissions block, inheriting the default
  that blocks ID-token issuance)
- drop `NODE_AUTH_TOKEN` from both publish steps; pnpm@11.1.3 performs the
  OIDC token exchange natively (native publish landed in 11.0.7, and 11.1.3
  fixes the 404 when OIDC meets the actions/setup-node `.npmrc` placeholder)
- enable `NPM_CONFIG_PROVENANCE` for signed provenance attestations

Requires a Trusted Publisher to be configured on npm for @vercel/analytics
(repo vercel/analytics, workflow release.yml).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b75f6af..233dbc1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,9 @@ on:
 jobs:
   release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v5
@@ -23,8 +26,8 @@ jobs:
       - run: pnpm -F @vercel/analytics publish --tag beta --no-git-checks
         if: github.event.release.prerelease == true
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }}
+          NPM_CONFIG_PROVENANCE: 'true'
       - run: pnpm -F @vercel/analytics publish --no-git-checks
         if: github.event.release.prerelease == false
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN_ELEVATED }}
+          NPM_CONFIG_PROVENANCE: 'true'

From 1a5bc54819e68c2b4a0b225c8ba2c01e972eccad Mon Sep 17 00:00:00 2001
From: feugy <damien@vercel.com>
Date: Fri, 19 Jun 2026 17:36:49 +0200
Subject: [PATCH 2/2] refactor(ci): configure provenance via publishConfig

Per review feedback, move provenance out of the workflow env and into the
package's publishConfig so it always applies, regardless of how publish is
invoked.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 4 ----
 packages/web/package.json     | 3 +++
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 233dbc1..a8ca1e7 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,9 +25,5 @@ jobs:
         run: pnpm -F @vercel/analytics build
       - run: pnpm -F @vercel/analytics publish --tag beta --no-git-checks
         if: github.event.release.prerelease == true
-        env:
-          NPM_CONFIG_PROVENANCE: 'true'
       - run: pnpm -F @vercel/analytics publish --no-git-checks
         if: github.event.release.prerelease == false
-        env:
-          NPM_CONFIG_PROVENANCE: 'true'
diff --git a/packages/web/package.json b/packages/web/package.json
index 5c86daf..c820d94 100644
--- a/packages/web/package.json
+++ b/packages/web/package.json
@@ -11,6 +11,9 @@
     "directory": "packages/web"
   },
   "license": "MIT",
+  "publishConfig": {
+    "provenance": true
+  },
   "exports": {
     "./package.json": "./package.json",
     ".": {