fix(ci): add environment: npm to wasm publish for Trusted Publishing

[goldmedal]

Summary

The wasm publish job is still failing — most recently with ENEEDAUTH (https://github.com/Canner/WrenAI/actions/runs/25354035171/job/74339499436). The npm CLI never went through the OIDC handshake.

The npm Trusted Publisher config for @wrenai/wren-core-wasm has Environment name: npm set. With that field set, npm requires the OIDC token to carry an environment: npm claim. GitHub only adds that claim when the job runs inside a deployment environment, and our publish job didn't declare one — so npm rejected the publish. (Before #2235 the symptom was a 404; after, it's ENEEDAUTH. Both are downstream symptoms of the same missing claim.)

Fix

• Add environment: npm to the build-and-publish job.
• Restore registry-url: https://registry.npmjs.org on setup-node. Removing it in fix(ci): drop registry-url from setup-node so wasm publish uses OIDC #2235 was the wrong direction — the npm Trusted Publishers docs explicitly set it, and the real blocker wasn't the auto-written .npmrc but the missing environment claim.

Required repo setup

Before merging, create a GitHub Actions environment named npm:

Repo → Settings → Environments → New environment → name npm

(That's the same name configured on npm's side.) Optional but recommended: protect it with required reviewers and a branch restriction so only main (or release branches) can publish.

If the environment doesn't exist when the workflow runs, the job will fail with a clear "environment not found" error.

Test plan

• Create the npm environment in repo settings.
• Re-dispatch RC Release with component=wren-core-wasm and confirm npm publish succeeds via OIDC.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated npm publishing workflow configuration to improve package publication reliability and security through enhanced registry setup and environment requirements.

[coderabbitai]

Caution

Review failed

Pull request was closed or merged during review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 8600d78b-d28b-4616-b21a-4e0bd53003b9

📥 Commits

Reviewing files that changed from the base of the PR and between 7b34a9f and ce03125.

📒 Files selected for processing (1)

• .github/workflows/publish-wren-core-wasm.yml

---

Walkthrough

The workflow configures npm Trusted Publisher authentication by adding an environment: npm binding to the publish job and explicitly setting the npm registry URL in the Node.js setup step, enabling OIDC-based credential-less publishing.

Changes

npm Trusted Publisher Configuration

Layer / File(s)	Summary
Environment Setup .github/workflows/publish-wren-core-wasm.yml	Adds environment: npm to the build-and-publish job to satisfy npm Trusted Publisher's environment requirement.
Node Registry Configuration .github/workflows/publish-wren-core-wasm.yml	Updates actions/setup-node@v4 to pin Node.js to version 24 and explicitly set registry-url: https://registry.npmjs.org, supporting OIDC-based Trusted Publishing without manually written .npmrc credentials.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• Canner/WrenAI#2235: Modifies the same actions/setup-node step in the publish workflow with opposing registry-url changes affecting Trusted Publishing behavior.
• Canner/WrenAI#2232: Also updates the publish-wren-core-wasm workflow to configure npm Trusted Publishing and OIDC authentication with Node.js 24 pinning.

Suggested labels

ci, wasm

Suggested reviewers

• PaulChen79

Poem

🐰 A registry route, now clearly defined,
Trust without secrets, OIDC-aligned,
The bunny hops forth, credentials-free,
npm's blessed path for WASM to be! ✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: adding the environment: npm configuration to the wasm publish workflow for Trusted Publishing support.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/wasm-trusted-publishing-npm-version

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}