From 3800e49aa57c1c19c8ba2115ba4b44a38b9304e2 Mon Sep 17 00:00:00 2001
From: Peter Steinberger <steipete@gmail.com>
Date: Sat, 2 May 2026 03:16:00 +0100
Subject: [PATCH] ci: prefer trusted publishing for plugin releases

---
 .github/workflows/plugin-clawhub-release.yml | 30 ++++++++++++++++++++
 .github/workflows/plugin-npm-release.yml     |  1 +
 scripts/plugin-npm-publish.sh                |  4 +++
 3 files changed, 35 insertions(+)

diff --git a/.github/workflows/plugin-clawhub-release.yml b/.github/workflows/plugin-clawhub-release.yml
index 7820b0cd3b3..82aadad264b 100644
--- a/.github/workflows/plugin-clawhub-release.yml
+++ b/.github/workflows/plugin-clawhub-release.yml
@@ -247,6 +247,36 @@ jobs:
           chmod +x "$RUNNER_TEMP/clawhub"
           echo "$RUNNER_TEMP" >> "$GITHUB_PATH"
 
+      - name: Write ClawHub token config
+        env:
+          CLAWHUB_TOKEN: ${{ secrets.CLAWHUB_TOKEN }}
+          CLAWHUB_REGISTRY: ${{ env.CLAWHUB_REGISTRY }}
+        run: |
+          set -euo pipefail
+          if [[ -z "${CLAWHUB_TOKEN}" ]]; then
+            echo "No CLAWHUB_TOKEN secret configured; publish will rely on GitHub OIDC trusted publishing."
+            exit 0
+          fi
+          node --input-type=module <<'EOF'
+          import { writeFileSync } from "node:fs";
+          import { join } from "node:path";
+
+          const path = join(process.env.RUNNER_TEMP, "clawhub-config.json");
+          writeFileSync(
+            path,
+            `${JSON.stringify(
+              {
+                registry: process.env.CLAWHUB_REGISTRY,
+                token: process.env.CLAWHUB_TOKEN,
+              },
+              null,
+              2,
+            )}\n`,
+          );
+          console.log(path);
+          EOF
+          echo "CLAWHUB_CONFIG_PATH=${RUNNER_TEMP}/clawhub-config.json" >> "$GITHUB_ENV"
+
       - name: Ensure version is not already published
         env:
           PACKAGE_NAME: ${{ matrix.plugin.packageName }}
diff --git a/.github/workflows/plugin-npm-release.yml b/.github/workflows/plugin-npm-release.yml
index 72d2452ef72..87fade32691 100644
--- a/.github/workflows/plugin-npm-release.yml
+++ b/.github/workflows/plugin-npm-release.yml
@@ -212,4 +212,5 @@ jobs:
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          OPENCLAW_NPM_PUBLISH_AUTH_MODE: trusted-publisher
         run: bash scripts/plugin-npm-publish.sh --publish "${{ matrix.plugin.packageDir }}"
diff --git a/scripts/plugin-npm-publish.sh b/scripts/plugin-npm-publish.sh
index 93b418ad6db..e6ff774d3e5 100644
--- a/scripts/plugin-npm-publish.sh
+++ b/scripts/plugin-npm-publish.sh
@@ -83,6 +83,10 @@ case "${mirror_auth_source}" in
 esac
 publish_auth_token="${mirror_auth_token}"
 publish_auth_source="${mirror_auth_source}"
+if [[ "${OPENCLAW_NPM_PUBLISH_AUTH_MODE:-}" == "trusted-publisher" ]]; then
+  publish_auth_token=""
+  publish_auth_source="trusted-publisher"
+fi
 if [[ -n "${publish_auth_token}" ]]; then
   log "Publish auth: ${publish_auth_source} with provenance"
 else