fix release yml

Author: indianaPoly

.github/workflows/release.yml

@@ -42,6 +42,26 @@ jobs:
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
+      - name: Debug release target and auth mode
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          echo "package_name=$(node -p "require('./packages/core/package.json').name")"
+          echo "package_version=$(node -p "require('./packages/core/package.json').version")"
+          echo "registry=$(npm config get registry)"
+          if [ -n "${ACTIONS_ID_TOKEN_REQUEST_TOKEN:-}" ] && [ -n "${ACTIONS_ID_TOKEN_REQUEST_URL:-}" ]; then
+            echo "oidc=available"
+          else
+            echo "oidc=unavailable"
+          fi
+          if [ -n "${NPM_TOKEN:-}" ]; then
+            echo "npm_token=present"
+            npm whoami || true
+          else
+            echo "npm_token=missing"
+          fi
+
       - name: Run lint
         run: bun run lint
 

README.ko.md

@@ -34,7 +34,7 @@ bun run release:dry-run
 ## 패키지 사용 예시
 
 ```ts
-import { createDeadClickDetector } from "@clickvoidx/core";
+import { createDeadClickDetector } from "@hyunrim03/core";
 
 const detector = createDeadClickDetector({
   onDeadClick(report) {

README.md

@@ -34,7 +34,7 @@ bun run release:dry-run
 ## Package usage
 
 ```ts
-import { createDeadClickDetector } from "@clickvoidx/core";
+import { createDeadClickDetector } from "@hyunrim03/core";
 
 const detector = createDeadClickDetector({
   onDeadClick(report) {

bun.lock

@@ -50,6 +50,9 @@ The release workflow maps `secrets.NPM_TOKEN` to both `NPM_TOKEN` and `NPM_CONFI
 - Use Node.js `22.14.0+` and npm `11.5.1+` in the release job
 - When no npm token is present, the release script falls back to `npm publish --provenance`
 
+The repository now prefers OIDC on GitHub Actions even if `NPM_TOKEN` is also present.
+Set `FORCE_NPM_TOKEN_PUBLISH=1` only if you intentionally want to override that behavior.
+
 This avoids the 2FA-token problem entirely.
 
 ## Recommended repository settings

docs/release-process.en.md

@@ -51,6 +51,9 @@
 - release job에서 Node.js `22.14.0+`, npm `11.5.1+` 사용
 - npm 토큰이 없을 때 release script가 `npm publish --provenance`로 자동 fallback
 
+이 저장소는 이제 GitHub Actions에서 `NPM_TOKEN`이 함께 있어도 OIDC를 우선 사용합니다.
+의도적으로 토큰 경로를 강제하고 싶을 때만 `FORCE_NPM_TOKEN_PUBLISH=1`을 사용하면 됩니다.
+
 이 방식은 2FA 토큰 문제를 피할 수 있습니다.
 
 ## 권장 GitHub 저장소 설정

docs/release-process.ko.md

@@ -1,4 +1,4 @@
-# @clickvoidx/core
+# @hyunrim03/core
 
 ## 0.1.1
 

packages/core/CHANGELOG.md

@@ -1,4 +1,4 @@
-# @clickvoidx/core
+# @hyunrim03/core
 
 A Bun-friendly TypeScript package for detecting dead clicks in browser applications.
 
@@ -12,7 +12,7 @@ A Bun-friendly TypeScript package for detecting dead clicks in browser applicati
 ## Quick example
 
 ```ts
-import { createDeadClickDetector } from "@clickvoidx/core";
+import { createDeadClickDetector } from "@hyunrim03/core";
 
 const detector = createDeadClickDetector({
   onDeadClick(report) {

packages/core/README.md

@@ -1,5 +1,5 @@
 {
-  "name": "@clickvoidx/core",
+  "name": "@hyunrim03/core",
   "version": "0.1.1",
   "description": "Dead-click detection core package for browser applications.",
   "type": "module",

packages/core/package.json

@@ -6,9 +6,9 @@ import process from "node:process";
 /**
  * Release publishing entrypoint.
  *
- * - If an npm token is present, we keep the Bun-based publish path.
- * - If no npm token is present but GitHub OIDC variables exist, we fall back to
- *   npm trusted publishing.
+ * - On GitHub Actions, OIDC trusted publishing is preferred whenever available.
+ * - If OIDC is unavailable but an npm token is present, we keep the Bun-based
+ *   publish path.
  * - In dry-run mode we only pack the package, so local validation never needs auth.
  */
 const isDryRun = process.argv.includes("--dry-run");
@@ -25,6 +25,7 @@ const hasNpmToken = Boolean(npmToken);
 const hasOidc = Boolean(
   env.ACTIONS_ID_TOKEN_REQUEST_TOKEN && env.ACTIONS_ID_TOKEN_REQUEST_URL
 );
+const forceTokenPublish = env.FORCE_NPM_TOKEN_PUBLISH === "1";
 
 if (npmToken && !env.NPM_CONFIG_TOKEN) {
   env.NPM_CONFIG_TOKEN = npmToken;
@@ -60,19 +61,28 @@ function run(command, args, mode) {
 }
 
 if (isDryRun) {
-  run("bun", ["pm", "pack"], hasNpmToken ? "bun-token" : hasOidc ? "npm-oidc" : "pack-only");
+  run(
+    "bun",
+    ["pm", "pack"],
+    hasOidc && !forceTokenPublish
+      ? "npm-oidc"
+      : hasNpmToken
+        ? "bun-token"
+        : "pack-only"
+  );
 }
 
-if (hasNpmToken) {
-  run("bun", ["publish", "--access", "public", "--tolerate-republish"], "bun-token");
+if (hasOidc && !forceTokenPublish) {
+  run("npm", ["publish", "--access", "public", "--provenance"], "npm-oidc");
 }
 
-if (hasOidc) {
-  run("npm", ["publish", "--access", "public", "--provenance"], "npm-oidc");
+if (hasNpmToken) {
+  run("bun", ["publish", "--access", "public", "--tolerate-republish"], "bun-token");
 }
 
 console.error(
   "[release] Missing publish credentials. Provide NPM_TOKEN/NPM_CONFIG_TOKEN " +
-    "or configure npm trusted publishing with GitHub OIDC (id-token: write)."
+    "or configure npm trusted publishing with GitHub OIDC (id-token: write). " +
+    "GitHub Actions prefers OIDC unless FORCE_NPM_TOKEN_PUBLISH=1 is set."
 );
 process.exit(1);