Summary

This PR updates the CI workflow to use OIDC (OpenID Connect) authentication for npmjs publishing instead of static authentication tokens.

Starting inmid-November 2025, npm is deprecating long-lived authentication tokens. This migration isrequired to continue publishing packages from GitHub Actions.

📖For detailed migration instructions, see:Migrating from Token-based to OIDC Publishing

Changes Made

• Added 'permissions: id-token: write' to publish job
• Removed NPM_TOKEN from environment variables in publish job
• Removed 'npm config set //registry.npmjs.org/:_authToken ${NPM_TOKEN}' command
• Updated npm publish commands to use 'npx -y npm@latest publish' wrapped in a publish() function
• Removed the 'env:' section from the publish job

⚠️ Required: Configure Trusted Publishing on npm

Before merging this PR, you must configure your package as a trusted publisher on npmjs.com:

1. Go to your package settings onnpmjs.com
2. Find the "Publishing access" section and click "Configure trusted publisher"
3. Select "GitHub Actions" as your provider
4. Fill in the following details:
   • Organization or user:HumeAI
   • Repository:hume-typescript-sdk
   • Workflow filename:ci.yml
   • Environment name: Leave blank (unless you use GitHub environments)

📖Detailed instructions:npm Trusted Publisher Setup

Testing Checklist

After merging this PR and configuring trusted publishing:

• Trigger a test publish by creating an alpha release tag (e.g.,v1.0.0-alpha1)
• Verify the GitHub Actions workflow succeeds
• Check that the package appears onnpmjs.com
• Verify provenance badge appears on the package page (may take a few minutes)
• Remove theNPM_TOKEN secret from repository settings once verified

Note on testing: If the version inpackage.json has already been published, you may see an error like:

npm error You cannot publish over the previously published versions: 0.0.28.

This is actually a good sign! It means OIDC authentication is working correctly - npm successfully authenticated your workflow and only rejected the publish because the version already exists. You can verify this worked by checking that:

1. The workflow didn't fail with an authentication error
2. The error message is specifically about the version being published before
3. You can see the workflow run had proper OIDC token permissions

Troubleshooting

If you encounter issues after merging:

"Unable to authenticate" error

• Verify the workflow filename in npm settings matches exactly (including.yml extension)
• Ensure trusted publisher configuration matches your repository details
• Confirm you're not using self-hosted runners (not currently supported)
• Check thatpermissions: id-token: write is present in the publish job

Note: This PR was automatically generated using AI-powered workflow analysis to ensure compatibility with your existing CI setup.