From 494e8e9131faebdfaa8bfb83f0fe7b0aea1ea08e Mon Sep 17 00:00:00 2001
From: James Garbutt <43081j@users.noreply.github.com>
Date: Thu, 21 May 2026 10:08:42 +0100
Subject: [PATCH] chore: enable trusted/staged publishing

---
 .github/workflows/main.yml    |  4 ++--
 .github/workflows/publish.yml | 20 ++++++++++++--------
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index e43a121..3deb9c2 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -14,9 +14,9 @@ jobs:
       fail-fast: false
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Use Node v${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node-version }}
       - name: Install Dependencies
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 937acb4..5500c4f 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,9 +9,11 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
       - name: Setup Node
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 20
       - name: Install Dependencies
@@ -28,20 +30,22 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       id-token: write
-    env:
-      NODE_AUTH_TOKEN: ${{ secrets.npm_token }}
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22.x
           registry-url: 'https://registry.npmjs.org'
           cache: 'npm'
+      - run: npm install -g npm@~11.10.0 # Work-around for https://github.com/npm/cli/issues/9151#issuecomment-4131466208
+      - run: npm install -g npm@latest
       - run: npm ci
       - run: npm version ${TAG_NAME} --git-tag-version=false
         env:
           TAG_NAME: ${{ github.ref_name }}
-      - run: npm publish --provenance --access public --tag next
+      - run: npm stage publish --provenance --access public --tag next
         if: "github.event.release.prerelease"
-      - run: npm publish --provenance --access public
+      - run: npm stage publish --provenance --access public
         if: "!github.event.release.prerelease"