From c051d126942740819405d33854b4815a2c9f2517 Mon Sep 17 00:00:00 2001
From: Thomas Klepzig <tklepzig@users.noreply.github.com>
Date: Fri, 2 Jan 2026 17:01:43 +0100
Subject: [PATCH] Adjust CI to use npm trusted publishing

---
 .github/workflows/publish-switch.yml   | 27 ++++++++++++++++++++++++++
 .github/workflows/release-snapshot.yml | 11 ++++-------
 .github/workflows/release.yml          |  7 +++----
 .tool-versions                         |  2 +-
 4 files changed, 35 insertions(+), 12 deletions(-)
 create mode 100644 .github/workflows/publish-switch.yml

diff --git a/.github/workflows/publish-switch.yml b/.github/workflows/publish-switch.yml
new file mode 100644
index 0000000..bf0fe70
--- /dev/null
+++ b/.github/workflows/publish-switch.yml
@@ -0,0 +1,27 @@
+name: Publish switch
+
+on:
+  issue_comment:
+    types: ["created"]
+  push:
+    branches:
+      - master
+
+permissions:
+  id-token: write
+
+jobs:
+  release-snapshot:
+    if: github.event_name == 'issue_comment'
+    uses: ./.github/workflows/release-snapshot.yml
+    secrets: inherit
+    permissions:
+      id-token: write
+      pull-requests: write
+
+  release:
+    if: github.event_name == 'push'
+    uses: ./.github/workflows/release.yml
+    secrets: inherit
+    permissions:
+      id-token: write
diff --git a/.github/workflows/release-snapshot.yml b/.github/workflows/release-snapshot.yml
index 713e111..8dbce9b 100644
--- a/.github/workflows/release-snapshot.yml
+++ b/.github/workflows/release-snapshot.yml
@@ -1,8 +1,7 @@
 name: Release Snapshot
 
 on:
-  issue_comment:
-    types: ["created"]
+  workflow_call:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -13,6 +12,9 @@ jobs:
       ${{ github.event.issue.pull_request && github.event.comment.body ==
       '/snapshot' }}
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pull-requests: write
     steps:
       - name: Add initial reaction
         uses: peter-evans/create-or-update-comment@v4
@@ -64,11 +66,6 @@ jobs:
       - name: Build packages
         run: npm run build
 
-      - name: Create .npmrc
-        run:
-          echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" >
-          ~/.npmrc
-
       - name: Publish packages
         id: publish
         run: |
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 153f716..2d520eb 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,9 +1,7 @@
 name: Release
 
 on:
-  push:
-    branches:
-      - master
+  workflow_call:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
@@ -11,6 +9,8 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
@@ -33,4 +33,3 @@ jobs:
           title: Publish Version
         env:
           GITHUB_TOKEN: ${{ secrets.REPO_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.tool-versions b/.tool-versions
index 7bd5f0b..3df4331 100644
--- a/.tool-versions
+++ b/.tool-versions
@@ -1 +1 @@
-nodejs 20.10.0
+nodejs 24.11.0