Fix npm trusted publishing: clear NODE_AUTH_TOKEN to allow OIDC exchange

[Copilot]

actions/setup-node@v4 with registry-url exports NODE_AUTH_TOKEN set to GITHUB_TOKEN for all subsequent steps. npm uses this as the registry auth token — which is not a valid npm token — returning 404 instead of performing the OIDC exchange that trusted publishing requires.

Fixed

• publish.yml: Added NODE_AUTH_TOKEN: '' to the publish step's env block — overrides the GITHUB_TOKEN value exported by setup-node, leaving _authToken empty in the generated .npmrc so npm falls back to the OIDC token exchange with npmjs.com (the trusted publishing flow)
• publish.yml: Fixed deprecated set-output command → $GITHUB_OUTPUT
• publish.yml: Upgraded actions/cache@v3 → actions/cache@v4

Prerequisite: The @cratis/components package on npmjs.com must have a GitHub Actions Trusted Publisher configured (package Settings → Trusted Publishers) pointing to this repository and workflow. This is a required npmjs.com-side configuration that cannot be done from the workflow alone — without it, the OIDC token exchange will fail even with this fix applied. To configure: npmjs.com → @cratis/components → Settings → Trusted Publishers → Add → GitHub Actions → Repository: Cratis/Components, Workflow: publish.yml.

---

💬 Send tasks to Copilot coding agent from Slack and Teams to turn conversations into code. Copilot posts an update in your thread when it's finished.

[einari]

@copilot I'm going to ask you what I asked in the previous session we had; why are you so certain and confident that this is now the solution. It is frustrating burning version numbers just because you're wrong. So I need you to be 100% certain it will work.

[Copilot]

@copilot I'm going to ask you what I asked in the previous session we had; why are you so certain and confident that this is now the solution. It is frustrating burning version numbe...

I appreciate you pushing back on this — it's a fair challenge.

Here's what I can state with certainty and where uncertainty remains:

What I'm certain about: The previous 404 was caused by actions/setup-node@v4 exporting NODE_AUTH_TOKEN=GITHUB_TOKEN for all subsequent steps. npm used that GITHUB_TOKEN as the registry auth token (not a valid npm token) → 404. The CI log confirms this: Sigstore provenance signing succeeded (uses OIDC JWT directly, unaffected by NODE_AUTH_TOKEN), but the registry PUT failed. Setting NODE_AUTH_TOKEN: '' in the publish step prevents this.

What I cannot guarantee: Whether the npm OIDC token exchange will succeed after clearing NODE_AUTH_TOKEN. This depends on a npmjs.com-side configuration that I cannot verify or change from this repository:

Required: On npmjs.com → @cratis/components package → Settings → Trusted Publishers → Add a trusted publisher:

• Publisher type: GitHub Actions
• Repository owner: Cratis
• Repository name: Components
• Workflow filename: publish.yml

Without this configuration, the OIDC exchange with npmjs.com will fail with a different error (403 or 401), even with the workflow correctly clearing NODE_AUTH_TOKEN.

If you don't want to set up Trusted Publishers and just want reliable publishing: replace NODE_AUTH_TOKEN: '' with NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} (a granular npm access token created at npmjs.com). That bypasses OIDC entirely and is guaranteed to work.

The workflow fix in this PR is necessary but not sufficient on its own for trusted publishing to work.