From 92d142823eed851991eb50937c1c5db7c84bea1c Mon Sep 17 00:00:00 2001
From: vlavrynovych <volodyalavrynovych@gmail.com>
Date: Wed, 17 Dec 2025 01:45:00 +0200
Subject: [PATCH 1/4] #133: Add OIDC publish workflow for testing token-less
 npm publishing

---
 .github/workflows/publish.yml | 38 +++++++++++++++++++++++++++++++++++
 1 file changed, 38 insertions(+)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 0000000..477a98b
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,38 @@
+name: Publish to npm
+
+on:
+  push:
+    branches:
+      - feature/npm-oidc-publish  # Test branch trigger
+  workflow_dispatch:  # Manual trigger
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    name: Publish to npm
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write  # Required for OIDC trusted publishing
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install dependencies
+        run: npm ci
+
+      - name: Create backups directory
+        run: mkdir -p backups
+
+      - name: Publish to npm
+        run: npm publish
+        # prepublishOnly hook runs build and test automatically
+        # Provenance is automatic with trusted publishing (OIDC)

From 0d1a31859a57d140312d8206daac3a268c338655 Mon Sep 17 00:00:00 2001
From: vlavrynovych <volodyalavrynovych@gmail.com>
Date: Wed, 17 Dec 2025 01:52:35 +0200
Subject: [PATCH 2/4] #133: check npm version

---
 .github/workflows/publish.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 477a98b..783ebca 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -26,6 +26,9 @@ jobs:
           node-version: "20"
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Check npm version
+        run: npm --version
+
       - name: Install dependencies
         run: npm ci
 

From 9d63fb7bc36203bd7e87aab95deea2a3c652b4e6 Mon Sep 17 00:00:00 2001
From: vlavrynovych <volodyalavrynovych@gmail.com>
Date: Wed, 17 Dec 2025 02:00:17 +0200
Subject: [PATCH 3/4] #133: publish with token

---
 .github/workflows/publish.yml | 6 ++++--
 package.json                  | 2 +-
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 783ebca..2675a6b 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -35,7 +35,9 @@ jobs:
       - name: Create backups directory
         run: mkdir -p backups
 
-      - name: Publish to npm
+      - name: Publish to npm (OIDC preferred, token fallback)
         run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         # prepublishOnly hook runs build and test automatically
-        # Provenance is automatic with trusted publishing (OIDC)
+        # Will try OIDC first, fall back to token if OIDC fails
diff --git a/package.json b/package.json
index a5ed951..4a40712 100644
--- a/package.json
+++ b/package.json
@@ -114,7 +114,7 @@
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/migration-script-runner/msr-core.git"
+    "url": "git+https://github.com/migration-script-runner/msr-core.git"
   },
   "bugs": {
     "url": "https://github.com/migration-script-runner/msr-core/issues",

From 3de4dfd7b4b639a42809de4d92071412f2aac10d Mon Sep 17 00:00:00 2001
From: vlavrynovych <volodyalavrynovych@gmail.com>
Date: Wed, 17 Dec 2025 02:13:43 +0200
Subject: [PATCH 4/4] #133: Replace with tag-based npm publishing workflow

---
 .github/workflows/npm-publish.yml | 61 ++++++++++---------------------
 .github/workflows/publish.yml     | 43 ----------------------
 2 files changed, 19 insertions(+), 85 deletions(-)
 delete mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 85dff93..60ff2e9 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -1,42 +1,19 @@
-name: npm-publish
+name: Publish to npm
+
 on:
   push:
-    branches:
-      - master
+    tags:
+      - 'v*'  # Trigger on version tags (v0.8.0, v1.0.0, etc.)
+  workflow_dispatch:  # Manual trigger
 
 jobs:
-  check:
-    name: Check Version
-    runs-on: ubuntu-latest
-    outputs:
-      changed: ${{ steps.check.outputs.changed }}
-      version: ${{ steps.check.outputs.version }}
-      commit: ${{ steps.check.outputs.commit }}
-      type: ${{ steps.check.outputs.type }}
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Check if version has been updated
-        id: check
-        uses: EndBug/version-check@v2
-
-      - name: Log when unchanged
-        if: steps.check.outputs.changed == 'false'
-        run: 'echo "No version change"'
-
-      - name: Log when changed
-        if: steps.check.outputs.changed == 'true'
-        run: 'echo "Version change found in commit ${{ steps.check.outputs.commit }}! New version: ${{ steps.check.outputs.version }} (${{ steps.check.outputs.type }})"'
   publish:
-    needs:
-      - check
-    if: needs.check.outputs.changed == 'true'
-    name: Publish
+    name: Publish to npm
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      id-token: write  # Required for OIDC token-less publishing
+      contents: read
+      id-token: write  # Required for provenance
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -47,15 +24,15 @@ jobs:
           node-version: "20"
           registry-url: 'https://registry.npmjs.org'
 
-      - run: npm ci
-      - run: mkdir -p backups
+      - name: Install dependencies
+        run: npm ci
 
-      # Publish with provenance using trusted publisher (OIDC)
-      # prepublishOnly hook runs build and test automatically
-      - name: Publish to npm
-        run: npm publish --provenance --access public
+      - name: Create backups directory
+        run: mkdir -p backups
 
-      - name: Create Git Tag
-        uses: thejeff77/action-push-tag@v1.0.0
-        with:
-          tag: 'v${{ needs.check.outputs.version }}'
+      - name: Publish to npm
+        run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        # prepublishOnly hook runs build and test automatically
+        # Provenance is signed automatically via id-token: write
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
deleted file mode 100644
index 2675a6b..0000000
--- a/.github/workflows/publish.yml
+++ /dev/null
@@ -1,43 +0,0 @@
-name: Publish to npm
-
-on:
-  push:
-    branches:
-      - feature/npm-oidc-publish  # Test branch trigger
-  workflow_dispatch:  # Manual trigger
-  release:
-    types: [published]
-
-jobs:
-  publish:
-    name: Publish to npm
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write  # Required for OIDC trusted publishing
-
-    steps:
-      - name: Checkout repository
-        uses: actions/checkout@v4
-
-      - name: Setup Node
-        uses: actions/setup-node@v4
-        with:
-          node-version: "20"
-          registry-url: 'https://registry.npmjs.org'
-
-      - name: Check npm version
-        run: npm --version
-
-      - name: Install dependencies
-        run: npm ci
-
-      - name: Create backups directory
-        run: mkdir -p backups
-
-      - name: Publish to npm (OIDC preferred, token fallback)
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        # prepublishOnly hook runs build and test automatically
-        # Will try OIDC first, fall back to token if OIDC fails