From d762bf266fe0df76ddb6a9502a0486ea88811fa8 Mon Sep 17 00:00:00 2001
From: Luca Tumedei <luca@theaveragedev.com>
Date: Tue, 9 Dec 2025 15:58:04 +0100
Subject: [PATCH] build: udpate publish to use trusted publisher

---
 .github/workflows/publish.yml | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 904c64e..7523d34 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -1,13 +1,15 @@
-# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
-# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
-
+# This uses OIDC Trusted Publishing: https://docs.npmjs.com/trusted-publishers
 name: Publish package on npm
 
 on:
   release:
-    types: [created]
+    types: [published]
   workflow_dispatch:
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -52,11 +54,16 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+
+      # We need to use npm for trusted publishing.
+      - name: Set up node
+        uses: actions/setup-node@v4
         with:
           node-version: 18.17.0
-          registry-url: https://registry.npmjs.org/
+          registry-url: 'https://registry.npmjs.org'
+
       - run: npm ci
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+
+      # npm >=11.5.1 automatically supports OIDC trusted publishing.
+      - name: Publish package to NPM
+        run: npm publish --verbose --access public