From 7ecd8296e793a5df42bf4d9265f92d69e0491d45 Mon Sep 17 00:00:00 2001
From: Lucas Koehler <lkoehler@eclipsesource.com>
Date: Wed, 15 Oct 2025 17:25:52 +0200
Subject: [PATCH] ci: Adapt publish.yaml  to use npm's trusted publishing

- Add comment to clarify id-token: write permission
- Remove obsolete usage of NPM auth token
---
 .github/workflows/publish.yaml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 4d8225e4d5..31046aa9b8 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -24,7 +24,7 @@ jobs:
   publish:
     permissions:
       contents: 'write'
-      id-token: 'write'
+      id-token: 'write' # Required for npm OIDC
     runs-on: 'ubuntu-latest'
     steps:
       - uses: 'actions/checkout@v4'
@@ -87,5 +87,4 @@ jobs:
         if: github.event.inputs.skip_publish == 'false'
         run: "pnpm publish --recursive ${{  github.event.inputs.stable_release == 'true' && ' ' || '--tag next' }}"
         env:
-          NODE_AUTH_TOKEN: '${{ secrets.NPM_TOKEN }}'
           NPM_CONFIG_PROVENANCE: 'true'