Chore/trusted publishing

[cache-your-dreams]

What does it do?

Adding npm trusted publishing

Why is it needed?

So we no longer need token's to publish packages

How to test it?

In it's current state, it does not run automatically. A human will need to run the workflow in the GitHub UI

[Copilot]

Pull request overview

Adds a manual Release GitHub Actions workflow configured for npm Trusted Publishing (OIDC) so publishing can happen without long-lived npm tokens.

Changes:

• Bumps package version to 1.6.3.
• Adds .nvmrc (Node 22) and a new manually-triggered .github/workflows/release.yml that builds and publishes with provenance and posts Slack notifications.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File	Description
package.json	Version bump for the release.
.nvmrc	Defines the Node version used by the release workflow.
.github/workflows/release.yml	Implements manual release workflow using OIDC trusted publishing + Slack notifications.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 926e22d5-be37-4d0f-b75c-2ee0e51b17c5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[jhoward1994]

Thanks, mainly looks good. I'm thinking this is the best way forward, wdyt:

1 - Don't make the package json bump to 1.6.3 in this PR

2 - It looks like we've done this on NPM. Did you do this just now to support this pr?

	[@strapi/client](https://www.npmjs.com/package/@strapi/client) → Package settings → Trusted publishers:

	- Organization: `strapi`
	- Repository: `client`
	- Workflow filename: `release.yml`

3 Then we can merge this PR (without a version bump)

4 Prepare a test version (separate from latest)
On main (or a short-lived test branch), bump to something explicit and safe, e.g.:

• 1.6.3-trusted-publishing.0, or
• 1.6.3-experimental.<short-sha>

& commit that in a dedicated branch.

5 Run the workflow manually targeting that branch
Actions → Release → Run workflow:

• Branch: the branch with the test version
• Dist-tag: next (not latest) so we don’t move the production tag

6 After all that is confirmed as working we should update CONTRIBUTING.md to reflect the new process