From a51f3da493dd7cbd8b618b4bc3e4f8db9e99b70a Mon Sep 17 00:00:00 2001
From: Liz Kenyon <elizabeth.kenyon@shopify.com>
Date: Mon, 20 Oct 2025 09:19:38 -0500
Subject: [PATCH] Migrate npm publishing to OIDC trusted publishing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Eliminates long-lived NPM tokens and provides automatic provenance attestations.
Updated to Node.js 22.x and npm 11.5.1+ required for OIDC support.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 .github/workflows/release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 55b2b4f..97dd929 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -27,9 +27,13 @@ jobs:
       - name: ⎔ Setup node
         uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with:
-          node-version-file: '.nvmrc'
+          node-version: '22.x'
           cache: 'npm'
           cache-dependency-path: 'package-lock.json'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Install npm 11.x for OIDC support
+        run: npm install -g npm@^11.5.1
 
       - name: Install the packages
         run: npm ci
@@ -49,5 +53,4 @@ jobs:
           title: '[ci] release'
         env:
           GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_CONFIG_PROVENANCE: true