From 8ac9ed5415868ce7b9eeff1fde0c7dd33d2841db Mon Sep 17 00:00:00 2001
From: wenxin-jiang <wenxin_jiang@outlook.com>
Date: Thu, 2 Apr 2026 12:36:47 -0400
Subject: [PATCH] fix: use NPM_TOKEN for npm publish to support new packages
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OIDC trusted publishing requires packages to already exist on the
npm registry. Use NPM_TOKEN (automation token) instead, which can
create new packages directly — matching how the original workflow
worked.

- Add `environment: npm-publish` to satisfy zizmor audit
- Add `NODE_AUTH_TOKEN` from `secrets.NPM_TOKEN` for publish steps
- Add `fail-fast: false` to build matrix to prevent one flaky build
  from cancelling all others

Prerequisites:
1. Create an "npm-publish" environment in repo Settings → Environments
2. Add NPM_TOKEN secret to that environment (automation token from
   npmjs.com @socketsecurity org)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ccc7b50..62e1ffe 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -56,6 +56,7 @@ jobs:
     needs: [version, tag]
     if: ${{ always() && needs.version.result == 'success' && (needs.tag.result == 'success' || needs.tag.result == 'skipped') }}
     strategy:
+      fail-fast: false
       matrix:
         include:
           - target: aarch64-apple-darwin
@@ -233,6 +234,7 @@ jobs:
     needs: [version, build]
     if: ${{ !inputs.dry-run }}
     runs-on: ubuntu-latest
+    environment: npm-publish
     permissions:
       contents: read
       id-token: write
@@ -291,6 +293,8 @@ jobs:
           stage_win socket-patch-aarch64-pc-windows-msvc     npm/socket-patch-win32-arm64
 
       - name: Publish platform packages
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           for pkg_dir in npm/socket-patch-*/; do
             echo "Publishing ${pkg_dir}..."
@@ -304,6 +308,8 @@ jobs:
         run: cp README.md npm/socket-patch/README.md
 
       - name: Publish main package
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm publish ./npm/socket-patch --provenance --access public
 
   pypi-publish: