From 72531b19a99403138ffe681601e6ba3c9a98225c Mon Sep 17 00:00:00 2001
From: Rafael Garcia <raf@kernel.sh>
Date: Sat, 7 Feb 2026 11:39:13 -0500
Subject: [PATCH] chore: switch npm publish from token to OIDC trusted
 publishers

- Add id-token:write permission for npm OIDC
- Ensure npm >= 11.5.1 (required for OIDC trusted publishing)
- Remove NPM_TOKEN / NODE_AUTH_TOKEN secrets from goreleaser step

GitHub is already configured as a trusted publisher on npmjs.com.
GoReleaser's npm pipe will use the OIDC token automatically.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 .github/workflows/release.yaml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f899e84..8898eae 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -7,6 +7,7 @@ on:
 
 permissions:
   contents: write
+  id-token: write # Required for npm OIDC trusted publishers
 
 jobs:
   release:
@@ -29,6 +30,9 @@ jobs:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Ensure latest npm (>= 11.5.1 for OIDC)
+        run: npm install -g npm@latest
+
       - name: Clean templates
         run: make clean-templates
 
@@ -41,5 +45,3 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GH_PAT }}
           GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}