Use trusted publishing

.github/workflows/publish.yml

@@ -12,9 +12,11 @@ on:
         required: true
         type: string
 
+# Workflow-level permissions use least privilege (read-only).
+# Jobs that need elevated permissions (npm OIDC, GHCR push) declare them
+# individually on the job — see publish-npm and publish-docker.
 permissions:
   contents: read
-  packages: write
 
 env:
   REGISTRY: ghcr.io
@@ -114,6 +116,11 @@ jobs:
   publish-npm:
     name: Publish to npmjs.org
     needs: [build-native]
+    # id-token: write is required for npm OIDC trusted publishing;
+    # contents: read for checkout. Scoped to this job only (least privilege).
+    permissions:
+      contents: read
+      id-token: write
     runs-on: [self-hosted, Linux, X64, "1ES.Pool=hld-kvm-amd","JobId=hyperagent-publish-npm-${{ github.run_id }}-${{ github.run_number }}-${{ github.run_attempt }}"]
     steps:
       - uses: actions/checkout@v6
@@ -123,6 +130,11 @@ jobs:
           node-version: "22"
           registry-url: "https://registry.npmjs.org"
 
+      # Trusted publishing requires npm >=11.5.1 for OIDC token exchange.
+      # Pin to ^11.5.1 so we don't silently get an older 11.x that lacks OIDC.
+      - name: Upgrade npm for trusted publishing
+        run: npm install -g npm@^11.5.1 && npm --version
+
       - uses: hyperlight-dev/ci-setup-workflow@v1.9.0
         with:
           rust-toolchain: "1.89"
@@ -152,15 +164,30 @@ jobs:
         if: github.event_name == 'workflow_dispatch'
         run: npm version ${{ inputs.version }} --no-git-tag-version --allow-same-version
 
+      # OIDC trusted publishing for release events; NPM_TOKEN fallback for workflow_dispatch
+      - name: Set publish flags
+        id: publish-flags
+        run: |
+          if [ "${{ github.event_name }}" != "workflow_dispatch" ]; then
+            echo "provenance=--provenance" >> "$GITHUB_OUTPUT"
+          else
+            echo "provenance=" >> "$GITHUB_OUTPUT"
+          fi
+
       - name: Publish to npmjs.org
-        run: npm publish --access public
+        run: npm publish --access public ${{ steps.publish-flags.outputs.provenance }}
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ${{ github.event_name == 'workflow_dispatch' && secrets.NPM_TOKEN || '' }}
 
   # Build and publish Docker image (after tests pass)
   publish-docker:
     name: Publish to GitHub Container Registry
     needs: [build-native]
+    # packages: write for pushing the image to GHCR.
+    # Scoped to this job only (least privilege).
+    permissions:
+      contents: read
+      packages: write
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6

.gitignore

@@ -19,7 +19,6 @@ builtin-modules/*.d.ts.map
 
 # Rust build artifacts
 target/
-Cargo.lock
 *.node
 
 # Log files are written to ~/.hyperagent/logs/ (not in the repo)
@@ -43,7 +42,6 @@ iteration-logs/
 
 # Hyperagent runtime build artifacts
 src/sandbox/runtime/target/
-src/sandbox/runtime/Cargo.lock
 
 # Generated plugin files (compiled from *.ts)
 # These are regenerated via `npm run build:modules`

CHANGELOG.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [Unreleased]
+
+### Changed
+
+- **Trusted npm publishing** — Publish workflow now uses OIDC trusted publishing with `--provenance` for release-triggered publishes, eliminating the need for a long-lived `NPM_TOKEN` secret. Manual `workflow_dispatch` publishes fall back to `NPM_TOKEN`.
+
 ## [v0.1.6] - 2026-03-27
 
 ### Added

docs/RELEASING.md

@@ -50,9 +50,25 @@ git push origin v0.1.1
 The [publish workflow](../.github/workflows/publish.yml) automatically:
 
 1. Runs tests on all hypervisors (KVM, MSHV, WHP)
-2. Publishes npm package to [npmjs.org](https://www.npmjs.com/package/@hyperlight-dev/hyperagent)
+2. Publishes npm package to [npmjs.org](https://www.npmjs.com/package/@hyperlight-dev/hyperagent) with [npm provenance](https://docs.npmjs.com/generating-provenance-statements) via OIDC trusted publishing
 3. Publishes Docker image to GitHub Container Registry (`ghcr.io/hyperlight-dev/hyperagent`)
 
+#### npm Trusted Publishing
+
+Release-triggered publishes use **OIDC trusted publishing** instead of an `NPM_TOKEN` secret:
+
+- The workflow requests an OIDC `id-token` from GitHub Actions and exchanges it with npmjs.org
+- npm attaches a **provenance attestation** (`--provenance`) linking the published package to its source commit and build
+- No long-lived npm API key is required for release publishes
+
+**Prerequisites** (one-time setup on npmjs.com):
+
+1. Go to the [@hyperlight-dev/hyperagent](https://www.npmjs.com/package/@hyperlight-dev/hyperagent) package settings
+2. Under "Publishing access", add a GitHub Actions trusted publisher:
+   - **Organization**: `hyperlight-dev`
+   - **Repository**: `hyperagent`
+   - **Workflow**: `publish.yml`
+
 ## Manual Release (workflow_dispatch)
 
 For testing or hotfixes without creating a git tag:
@@ -61,6 +77,8 @@ For testing or hotfixes without creating a git tag:
 2. Enter version (e.g., `0.1.1-beta.1`)
 3. Click "Run workflow"
 
+> **Note**: Manual dispatches fall back to the `NPM_TOKEN` repository secret (no provenance attestation). This is the emergency path only — prefer tagged releases for production.
+
 ## Verifying a Release
 
 ### npm package