Chore/release packages (#1203)

* chore: update npm publishing workflow and package metadata

- Added `id-token` permission for OIDC support in GitHub Actions.
- Updated npm to the latest version and verified the installation in the release workflow.
- Changed package metadata URLs for all SDK packages to point to the new repository location.
- Updated the repository URL in the root package.json for consistency.

* chore(packages): add release changeset

- add release changeset

* chore(changeset): add release changeset

Author: ajimae

.changeset/gentle-zoos-juggle.md

@@ -0,0 +1,11 @@
+---
+'@commercetools/checkout-sdk': minor
+'@commercetools/history-sdk': minor
+'@commercetools/importapi-sdk': minor
+'@commercetools/platform-sdk': minor
+'@commercetools/sdk-client-v2': minor
+'@commercetools/ts-client': minor
+'@commercetools/ts-sdk-apm': minor
+---
+
+release packages

.changeset/strong-suns-cover.md

@@ -0,0 +1,10 @@
+---
+'@commercetools/ts-client': patch
+'@commercetools/checkout-sdk': patch
+'@commercetools/platform-sdk': patch
+'@commercetools/history-sdk': patch
+'@commercetools/sdk-client-v2': patch
+'@commercetools/ts-sdk-apm': patch
+---
+
+release changeset

.github/workflows/release.yml

@@ -49,15 +49,47 @@ jobs:
       - name: Verify npm version
         run: npm --version
 
+      # Configure npm for OIDC authentication with trusted publishing
+      # This must be done after CI setup to ensure npm is properly configured
+
       - name: Setup Node.js for npm publishing
         uses: actions/setup-node@v4
         with:
           node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Configure npm for OIDC
+        run: |
+          # Ensure npm is configured to use the correct registry
+          npm config set registry https://registry.npmjs.org/
+          # Remove any existing auth token configuration that might interfere with OIDC
+          npm config delete //registry.npmjs.org/:_authToken || true
+          # Remove any user-level .npmrc that might have tokens
+          if [ -f "$HOME/.npmrc" ]; then
+            # Backup and clean .npmrc, keeping only non-auth config
+            sed -i.bak '/_authToken/d' "$HOME/.npmrc" || true
+            sed -i.bak '/_auth=/d' "$HOME/.npmrc" || true
+          fi
+          # Verify configuration
+          echo "Registry: $(npm config get registry)"
+          echo "npm OIDC will be used automatically during publish"
+          # Show npm config (without sensitive data)
+          npm config list
+
       - name: Building packages
         run: yarn build
 
+      - name: Ensure .npmrc is configured for OIDC before changesets
+        run: |
+          # Create/update .npmrc to ensure OIDC is used
+          # setup-node should have already configured this, but we ensure it's correct
+          if [ -f "$HOME/.npmrc" ]; then
+            echo "Current .npmrc content:"
+            cat "$HOME/.npmrc" | grep -v "authToken" | grep -v "_auth" || true
+          fi
+          # Ensure registry is set
+          npm config set registry https://registry.npmjs.org/
+
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
@@ -67,6 +99,8 @@ jobs:
           commit: 'ci(changesets): version packages'
         env:
           GITHUB_TOKEN: ${{ steps.generate_github_token.outputs.token }}
+          # Ensure npm uses OIDC authentication
+          NPM_CONFIG_REGISTRY: 'https://registry.npmjs.org'
 
       - name: Dispatch repository event
         if: steps.changesets.outputs.published == 'true'