From e305bdeaba9174a4ec116b9d6fc988588785b2a4 Mon Sep 17 00:00:00 2001
From: Ahmed Abdullajev <ahmed.abdullajev@pipedrive.com>
Date: Mon, 15 Jun 2026 15:54:12 +0300
Subject: [PATCH 1/4] CICDL-378: Remove unused NPM_PUBLIC_PUBLISH_TOKEN from
 npm publish workflow

All public packages have migrated to OIDC Trusted Publishers (CICDL-258),
making the token-based publish path dead code.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .../reusable_cicd-npm-package-publish.yml     | 28 -------------------
 1 file changed, 28 deletions(-)

diff --git a/.github/workflows/reusable_cicd-npm-package-publish.yml b/.github/workflows/reusable_cicd-npm-package-publish.yml
index d01f4ab..144340c 100644
--- a/.github/workflows/reusable_cicd-npm-package-publish.yml
+++ b/.github/workflows/reusable_cicd-npm-package-publish.yml
@@ -28,9 +28,6 @@ on:
         required: false
         default: false
     secrets:
-      NPM_PUBLIC_PUBLISH_TOKEN:
-        description: NPM token to use for publishing
-        required: false
       PD_PUBLIC_GHA_BOT_APPLICATION_PRIVATE_KEY_PEM:
         required: true
 jobs:
@@ -40,15 +37,6 @@ jobs:
       id-token: write
       contents: read
     steps:
-      - name: Validate token configuration
-        if: ${{ !inputs.use_trusted_publisher }}
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_PUBLIC_PUBLISH_TOKEN }}
-        run: |
-          if [ -z "${NPM_TOKEN}" ]; then
-            echo "::error::NPM_PUBLIC_PUBLISH_TOKEN secret must be provided when use_trusted_publisher is false"
-            exit 1
-          fi
       - name: Checkout ${{ github.repository }}
         uses: actions/checkout@v6
         with:
@@ -151,20 +139,6 @@ jobs:
               echo "::error::${_errorMessage}"
               exit 1
           fi
-      - name: Create .npmrc for publishing
-        shell: bash
-        if: ${{ !inputs.use_trusted_publisher }}
-        run: |
-          {
-            #  For multiple registry we need to add the registry to the .npmrc
-            # https://sevic.dev/npm-publish-github-actions/
-            # NPM can expand enviroment variables, this we avoid write the token in the filesystem
-            # shellcheck disable=SC2016
-            echo '//registry.npmjs.org/:_authToken=${NPM_TOKEN}'
-            echo "@pipedrive:registry=https://registry.npmjs.org"
-            echo "always-auth=true"
-          } > .npmrc
-
       - name: Read package.json
         id: read-package-json
         shell: bash
@@ -179,8 +153,6 @@ jobs:
       - name: Publish to NPM
         uses: pipedrive/gha-command-retry@v3
         env:
-          ## Not set NPM_TOKEN when using trusted publisher because in that flow that token is not needed
-          NPM_TOKEN: ${{ !inputs.use_trusted_publisher && secrets.NPM_PUBLIC_PUBLISH_TOKEN || '' }}
           VERSION: ${{ inputs.version }}
           PUBLISH_ACCESS: ${{ steps.read-package-json.outputs.publish_access }}
         with:

From 98a842bb4e511cd1a1174d3ad35c7ddb762991f3 Mon Sep 17 00:00:00 2001
From: Ahmed Abdullajev <ahmed.abdullajev@pipedrive.com>
Date: Mon, 15 Jun 2026 16:18:06 +0300
Subject: [PATCH 2/4] CICDL-378: Remove use_trusted_publisher input from both
 workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OIDC is now the only publish path — the toggle is no longer needed.
Removes the input from the wrapper (reusable_cicd-npm-publish.yml)
and the inner workflow (reusable_cicd-npm-package-publish.yml).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/reusable_cicd-npm-package-publish.yml | 5 -----
 .github/workflows/reusable_cicd-npm-publish.yml         | 6 ------
 2 files changed, 11 deletions(-)

diff --git a/.github/workflows/reusable_cicd-npm-package-publish.yml b/.github/workflows/reusable_cicd-npm-package-publish.yml
index 144340c..e47a526 100644
--- a/.github/workflows/reusable_cicd-npm-package-publish.yml
+++ b/.github/workflows/reusable_cicd-npm-package-publish.yml
@@ -22,11 +22,6 @@ on:
         type: number
         default: 180
         required: false
-      use_trusted_publisher:
-        description: Use NPM Trusted Publishers (OIDC) instead of NPM token. Requires trusted publisher registered on npmjs.com.
-        type: boolean
-        required: false
-        default: false
     secrets:
       PD_PUBLIC_GHA_BOT_APPLICATION_PRIVATE_KEY_PEM:
         required: true
diff --git a/.github/workflows/reusable_cicd-npm-publish.yml b/.github/workflows/reusable_cicd-npm-publish.yml
index 10f012b..b75a275 100644
--- a/.github/workflows/reusable_cicd-npm-publish.yml
+++ b/.github/workflows/reusable_cicd-npm-publish.yml
@@ -31,11 +31,6 @@ on:
         type: string
         required: false
         default: ubuntu-latest
-      use_trusted_publisher:
-        description: Use NPM Trusted Publishers (OIDC) instead of NPM token. Requires trusted publisher registered on npmjs.com.
-        type: boolean
-        required: false
-        default: false
 env:
   platform: node
 jobs:
@@ -71,5 +66,4 @@ jobs:
       version: ${{ needs.package-checks.outputs.version }}
       runner: ${{ inputs.runner }}
       publish_timeout_seconds: ${{ inputs.publish_timeout_seconds }}
-      use_trusted_publisher: ${{ inputs.use_trusted_publisher }}
     secrets: inherit

From f8558bce0f84248462bbd3bc36b69a9d3c59b944 Mon Sep 17 00:00:00 2001
From: Ahmed Abdullajev <ahmed.abdullajev@pipedrive.com>
Date: Mon, 15 Jun 2026 17:05:01 +0300
Subject: [PATCH 3/4] CICDL-378: Temporarily point inner workflow to feature
 branch for testing

Will revert before merging.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/reusable_cicd-npm-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reusable_cicd-npm-publish.yml b/.github/workflows/reusable_cicd-npm-publish.yml
index b75a275..94078de 100644
--- a/.github/workflows/reusable_cicd-npm-publish.yml
+++ b/.github/workflows/reusable_cicd-npm-publish.yml
@@ -60,7 +60,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    uses: pipedrive-actions/github-actions-workflows/.github/workflows/reusable_cicd-npm-package-publish.yml@master
+    uses: pipedrive-actions/github-actions-workflows/.github/workflows/reusable_cicd-npm-package-publish.yml@CICDL-378-remove-npm-public-publish-token
     with:
       revision: ${{inputs.revision }}
       version: ${{ needs.package-checks.outputs.version }}

From 1952b9d9b9af49886bec429d40baa2bdb0b02f1b Mon Sep 17 00:00:00 2001
From: Ahmed Abdullajev <ahmed.abdullajev@pipedrive.com>
Date: Mon, 15 Jun 2026 17:09:21 +0300
Subject: [PATCH 4/4] CICDL-378: Revert temporary branch ref back to @master
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Test passed — OIDC-only publish verified in test-public-npm-module#32.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/reusable_cicd-npm-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reusable_cicd-npm-publish.yml b/.github/workflows/reusable_cicd-npm-publish.yml
index 94078de..b75a275 100644
--- a/.github/workflows/reusable_cicd-npm-publish.yml
+++ b/.github/workflows/reusable_cicd-npm-publish.yml
@@ -60,7 +60,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    uses: pipedrive-actions/github-actions-workflows/.github/workflows/reusable_cicd-npm-package-publish.yml@CICDL-378-remove-npm-public-publish-token
+    uses: pipedrive-actions/github-actions-workflows/.github/workflows/reusable_cicd-npm-package-publish.yml@master
     with:
       revision: ${{inputs.revision }}
       version: ${{ needs.package-checks.outputs.version }}