From 65041d574557cf948747da9d39000a3ecb81c0c8 Mon Sep 17 00:00:00 2001
From: hopeatina <hopeatina@gmail.com>
Date: Thu, 21 May 2026 21:05:33 -0500
Subject: [PATCH] docs: align npm trusted publishing setup

---
 .github/workflows/publish.yml | 9 +++++++--
 README.md                     | 7 +++++++
 2 files changed, 14 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d290268..7e23c67 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -12,14 +12,19 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"
           package-manager-cache: false
 
+      - name: Check npm trusted publishing runtime
+        run: |
+          node --version
+          npm --version
+
       - name: Install dependencies
         run: npm install --no-audit --no-fund
 
diff --git a/README.md b/README.md
index 749d7d7..8e20aaf 100644
--- a/README.md
+++ b/README.md
@@ -105,10 +105,17 @@ Configure the package trusted publisher on npmjs.com with:
 - Organization or user: `useorgx`
 - Repository: `orgx-opencode-plugin`
 - Workflow filename: `publish.yml`
+- Allowed action: `npm publish`
+- Environment name: leave empty unless this workflow is later moved behind a GitHub environment
 
 The package `repository.url` must keep matching this GitHub repository exactly,
 otherwise npm trusted publishing can fail authentication.
 
+If the release workflow builds successfully but fails at `npm publish` with
+`E404` / "not found or you do not have permission", re-check the npm package's
+trusted publisher settings above. The workflow uses OIDC, so a local npm login
+is not used by GitHub Actions.
+
 ## Status
 
 Alpha. Part of the Sovereign Execution initiative (`993cabeb`).