From de3d483257c8b993ce09b23b2298661e3e250ae6 Mon Sep 17 00:00:00 2001
From: ymc9 <104139426+ymc9@users.noreply.github.com>
Date: Sat, 23 May 2026 21:52:45 -0700
Subject: [PATCH] ci: switch publish workflow to npm trusted publishing

Use Node 24 (ships npm 11) and provenance via OIDC instead of NPM_TOKEN.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/publish-release.yml | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 712831013..004d67b9a 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -11,6 +11,7 @@ env:
 
 permissions:
     contents: write
+    id-token: write
 
 jobs:
     publish-and-release:
@@ -28,7 +29,7 @@ jobs:
             - name: Use Node.js
               uses: actions/setup-node@v4
               with:
-                  node-version: 22.x
+                  node-version: 24.x
                   cache: 'pnpm'
                   registry-url: 'https://registry.npmjs.org'
 
@@ -55,7 +56,7 @@ jobs:
             - name: Publish packages
               run: pnpm run publish-all
               env:
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  NPM_CONFIG_PROVENANCE: 'true'
 
             - name: Generate changelog
               id: changelog