From cfa64f11f5c38853a55609e548d2aa9974c367e3 Mon Sep 17 00:00:00 2001
From: Shubham Tiwari <stiwari@twilio.com>
Date: Mon, 8 Dec 2025 11:19:42 +0530
Subject: [PATCH 1/4] chore: Add trusted publisher

---
 .github/workflows/release.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6869f59d..abb28296 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -131,6 +131,9 @@ jobs:
   release:
     runs-on: ubuntu-latest
     needs: [update-api-specs]
+    permissions:
+      id-token: write  # Required for OIDC
+      contents: read
     outputs:
       tag-name: ${{ steps.update-release.outputs.TAG_NAME }}
     steps:
@@ -150,7 +153,7 @@ jobs:
         run: DEBUG=semantic-release:* npx semantic-release -t \${version}
         env:
           GITHUB_TOKEN: ${{ secrets.REPO_ACCESS_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true # required for OIDC
       - name: Update release
         id: update-release
         run: |

From da9a7bc3f06e164fa8241d0436344434068077ca Mon Sep 17 00:00:00 2001
From: Shubham Tiwari <stiwari@twilio.com>
Date: Mon, 8 Dec 2025 11:36:07 +0530
Subject: [PATCH 2/4] chore: Add provenance true in .releaserc.json

---
 .releaserc.json | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.releaserc.json b/.releaserc.json
index 187d2ff9..fd0c2fb7 100644
--- a/.releaserc.json
+++ b/.releaserc.json
@@ -58,7 +58,13 @@
         "changelogFile": "CHANGES.md"
       }
     ],
-    "@semantic-release/npm",
+    [
+      "@semantic-release/npm",
+      {
+        "npmPublish": true,
+        "provenance": true
+      }
+    ],
     [
       "@semantic-release/github",
       {

From bfcc7a1246af844493ea9b89af9df38a941cb7a9 Mon Sep 17 00:00:00 2001
From: Shubham Tiwari <stiwari@twilio.com>
Date: Mon, 8 Dec 2025 11:36:44 +0530
Subject: [PATCH 3/4] chore: use latest npm and node version for OIDC

---
 .github/workflows/release.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index abb28296..854f3350 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -145,9 +145,15 @@ jobs:
           git pull
           make install
       - name: Use Node.js 18.x
-        uses: actions/setup-node@v2
+        uses: actions/setup-node@v4
         with:
-          node-version: 18.x
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      # Ensure npm 11.5.1 or later is installed
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: semanticRelease
         id: semantic-release
         run: DEBUG=semantic-release:* npx semantic-release -t \${version}

From 16d1266566c7766d5d920d836aa0c46f7080f109 Mon Sep 17 00:00:00 2001
From: Shubham Tiwari <stiwari@twilio.com>
Date: Mon, 8 Dec 2025 11:42:09 +0530
Subject: [PATCH 4/4] chore: use node 20

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 854f3350..6dcd7587 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -144,7 +144,7 @@ jobs:
       - run: |
           git pull
           make install
-      - name: Use Node.js 18.x
+      - name: Use Node 20
         uses: actions/setup-node@v4
         with:
           node-version: '20'