fix(ci): restructure publish workflow for OIDC authentication (#25)

* fix(ci): restructure publish workflow for OIDC authentication

Adopt the Reactist publishing pattern to fix npm registry authentication
failures. The previous approach had GITHUB_TOKEN leaking between publish
steps, preventing OIDC from working.

Changes:
- Add .npmrc with @Doist registry config for OIDC-based npm publishing
- Reverse publish order: npm first, GitHub Packages second
- Remove setup-node registry-url for initial npm publish (uses .npmrc)
- Add config cleanup step between registry publishes

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: update .node-version so that it satisfies the requirement defined in package.json on CI

Update .node-version to 22.22.0 to satisfy the engine requirement
(^22.22.0 || >=24.13.0) while keeping engine-strict=true in .npmrc.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* Remove access and provenance flags from npm publish

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>

Author: frankieyan

.github/workflows/publish.yml

@@ -1,12 +1,16 @@
 name: Publish @doist/react-compiler-tracker package
 
 on:
+    # triggered by `release-please.yml`
     workflow_dispatch:
 
 permissions:
-    contents: read
-    packages: write
+    # Enable the use of OIDC for trusted publishing and npm provenance
     id-token: write
+    # Enable the use of GitHub Packages registry
+    packages: write
+    # Enable Release Please to publish a GitHub release
+    contents: read
 
 jobs:
     publish:
@@ -17,13 +21,11 @@ jobs:
             - name: Checkout repository
               uses: actions/checkout@v4
 
-            - name: Prepare Node.js environment for GitHub Packages registry
+            - name: Prepare Node.js environment
               uses: actions/setup-node@v6
               with:
                   cache: npm
                   node-version-file: .node-version
-                  registry-url: https://npm.pkg.github.com/
-                  scope: '@doist'
 
             - name: Ensure npm 11.5.1 or later is installed
               run: npm install -g npm@latest
@@ -35,17 +37,27 @@ jobs:
             - run: npm run test
             - run: npm run build
 
-            - name: Publish package to GitHub Packages registry
+            # The Node.js environment is prepared based on the `.npmrc` file in the repo, which
+            # configures Doist scoped packages to use the public npm registry with OIDC
+            # authentication for the initial publish, after which we remove the Doist registry
+            # configuration, and prepare the Node.js environment for the GitHub Packages registry,
+            # providing a predictable release workflow for both registries.
+
+            - name: Publish package to public npm registry
               run: npm publish
-              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-            - name: Prepare Node.js environment for npm registry
+            - name: Remove Doist registry configuration from `.npmrc`
+              run: npm config delete @doist:registry --location=project
+
+            - name: Prepare Node.js environment for GitHub Packages registry
               uses: actions/setup-node@v6
               with:
+                  cache: npm
                   node-version-file: .node-version
-                  registry-url: https://registry.npmjs.org/
+                  registry-url: https://npm.pkg.github.com/
                   scope: '@doist'
 
-            - name: Publish package to npm registry
-              run: npm publish --access public --provenance
+            - name: Publish package to GitHub Packages registry
+              run: npm publish
+              env:
+                  NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.node-version

@@ -1 +1 @@
-22
+22.22

.npmrc

@@ -0,0 +1,9 @@
+# Ensure dependencies are installed from the npm Registry instead of GitHub Packages in case you
+# have changed the default registry for the `@doist` scope in a parent `.npmrc` file
+@doist:registry=https://registry.npmjs.org/
+
+# Refuse to install any package incompatible with the current Node.js version
+engine-strict=true
+
+# Save dependencies with an exact version rather than the semver range
+save-exact=true