From 484fd3fa31cb5eef27acde50fd6640f4f5ec3da1 Mon Sep 17 00:00:00 2001
From: Etienne Stalmans <etienne@supabase.io>
Date: Mon, 6 Oct 2025 15:04:17 +0200
Subject: [PATCH] chore(ci): use trusted publishing (npm)

Switch to using trusted publishing instead of granualar access token for
npmjs publishing.

https://docs.npmjs.com/trusted-publishers
---
 .github/workflows/release.yml | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ba76c513..b4092a2e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,7 +41,8 @@ jobs:
 
   docker:
     name: Release on Docker Hub
-
+    permissions:
+      contents: read
     needs:
       - release
 
@@ -77,7 +78,9 @@ jobs:
 
   npm:
     name: Release on NPM
-
+    permissions:
+      contents: read
+      id-token: write # OIDC for releasing on npm
     needs:
       - release
 
@@ -99,6 +102,10 @@ jobs:
           cd packages/sync-engine
           pnpm version ${{ needs.release.outputs.new-release-version }} --no-git-tag-version
 
+      # Ensure npm 11.5.1 or later is installed for trusted publishing support
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: Publish sync-engine to npm
         run: |
           cd packages/sync-engine
@@ -106,5 +113,3 @@ jobs:
           pnpm run build
           pnpm pack
           npm publish --access public
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}