From b4d70038dabaf5c1cee600f58bb867c43916e474 Mon Sep 17 00:00:00 2001
From: Carlos Torres <carlos.torres@cabify.com>
Date: Thu, 14 May 2026 12:58:41 +0200
Subject: [PATCH] Use npm trusted publishing (OIDC) instead of NPM_TOKEN

Removes dependency on long-lived npm tokens that expire every 90 days.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/npm-publish.yml | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index baccc08..8395dba 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -6,8 +6,16 @@ on:
 
 jobs:
   publish-npm:
-    uses: cabify/javascript-actions/.github/workflows/npm_publish.yml@main
-    with:
-      tag: ${{ contains(github.ref_name,'beta') && 'beta' || 'latest' }}
-    secrets:
-      token: ${{ secrets.NPM_TOKEN }}
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          registry-url: https://registry.npmjs.org
+      - run: yarn install
+      - run: yarn build
+      - run: npm publish --provenance --tag ${{ contains(github.ref_name,'beta') && 'beta' || 'latest' }}