From 7663cc692dc172e8c58a550bf88786553c216c6b Mon Sep 17 00:00:00 2001
From: Sylvain Joubert <sylvain.joubert@cosmotech.com>
Date: Mon, 20 Oct 2025 16:31:49 +0200
Subject: [PATCH] Use more restrictive workflow rights and OIDC for npm
 publishing

---
 .github/workflows/publish.yaml           | 10 ++++++----
 .github/workflows/track_dependencies.yml |  3 +++
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index b2a4686..1c44b8f 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -1,7 +1,13 @@
 name: Node.js Package on npm
+
 on:
   release:
     types: [created]
+
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     name: Build & Publish
@@ -16,7 +22,3 @@ jobs:
     - run: npm version ${{ github.event.release.tag_name }} --allow-same-version --no-git-tag-version
     - run: npm install
     - run: npm publish
-      env:
-        NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
-        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
diff --git a/.github/workflows/track_dependencies.yml b/.github/workflows/track_dependencies.yml
index c1c8ed8..df33586 100644
--- a/.github/workflows/track_dependencies.yml
+++ b/.github/workflows/track_dependencies.yml
@@ -6,6 +6,9 @@ on:
     branches:
       - master
 
+permissions:
+  contents: read
+
 jobs:
   dependency_track:
     runs-on: ubuntu-latest