npm oidc

.github/workflows/release.yml

@@ -1,6 +1,3 @@
-# This workflow will run tests using node and then publish a package to GitHub Packages when a release is created
-# For more information see: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages
-
 name: Publish Node.js Package
 
 on:
@@ -9,43 +6,44 @@ on:
 env:
   HUSKY: 0
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
+    runs-on: ubuntu-24.04
 
-      - uses: actions/setup-node@v3
-        with:
-          node-version: '20.x'
+    permissions:
+      id-token: write  # Required for OIDC trusted publishing
+      contents: write
 
-  publish-gpr:
-    needs: build
-    runs-on: ubuntu-latest
+   publish:
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
     steps:
-      - uses: actions/checkout@v4
 
       - name: "Set Package Version"
         uses: reedyuk/npm-version@1.1.1
         with:
           version: ${{ github.event.release.tag_name }}
 
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v6
         with:
-          node-version: '20.x'
+          node-version: '24'
           registry-url: "https://registry.npmjs.org"
           scope: "@sistent"
       - run: |
           npm install
           npm run build
-          npm publish --verbose
+          npm publish --provenance --access public --verbose
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NODE_AUTH_TOKEN: ''  # Explicitly empty for install
+
   versions-check:
-    needs: publish-gpr
+    needs: publish
     runs-on: ubuntu-latest
     steps:
       - uses: actions/github-script@v7