chore(ci): switch publish to OIDC trusted publishing

[felixweinberger]

v1.x companion to #1838. Drops NODE_AUTH_TOKEN and registry-url — npm CLI auto-detects GitHub Actions OIDC. id-token: write was already present.

Requires a trusted publisher configured for @modelcontextprotocol/sdk on npmjs.com (workflow main.yml, environment release).

[changeset-bot]

⚠️ No Changeset found

Latest commit: 522f41a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/@modelcontextprotocol/sdk@1839

commit: 522f41a

[claude]

LGTM — straightforward CI change removing token-based auth in favor of OIDC trusted publishing.

Extended reasoning...

Overview

Single-file CI change to .github/workflows/main.yml (v1.x branch). Removes registry-url from actions/setup-node and drops the NODE_AUTH_TOKEN env var from the npm publish step. The id-token: write permission was already present, so OIDC will work without additional changes.

Security risks

This change improves the security posture by eliminating the need for a long-lived NPM_TOKEN secret. OIDC trusted publishing is the recommended modern approach. No new attack surface is introduced.

Level of scrutiny

Low — this is a mechanical two-line deletion in a CI workflow. The companion PR (#1838) made the identical change to the main branch workflow.

Other factors

No bugs found. No changeset needed (CI-only change). The environment: release gate and id-token: write permission already provide the necessary constraints for OIDC to function correctly.

[bhosmer-ant]

Clean backport — v1.x already had id-token: write job-scoped, --provenance, and environment: release, so dropping registry-url + NODE_AUTH_TOKEN is the whole change.

One parity gap with #1838: that PR adds npm install -g npm@11.5.1 before publish (OIDC needs npm ≥11.5.1; the rationale is not depending on which Node 24 patch setup-node resolves to). This backport omits it. Fails closed if it's ever a problem, so low risk — but for consistency:

- name: Ensure npm CLI supports OIDC trusted publishing
  run: npm install -g npm@11.5.1

Also noting: the npm trusted-publisher config needs a second entry for v1.x (main.yml / release — different workflow filename than main's release.yml).

Review by Claude, checked by Basil.