From d3a8be04524260dcc7dcace2acafa99fdae3ab6a Mon Sep 17 00:00:00 2001
From: Javier Bullrich <javier@bullrich.dev>
Date: Tue, 12 May 2026 11:25:38 +0100
Subject: [PATCH] Migrate npm publish to OIDC Trusted Publishers

Removes NPM_TOKEN secret dependency and authenticates via GitHub OIDC
instead. Adds npm environment to the publish job for additional security.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/npm-publish.yml | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 70d4ada..7b4ac77 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -15,6 +15,7 @@ jobs:
   publish:
     name: Build & Publish to NPM
     runs-on: ubuntu-latest
+    environment: npm
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -25,5 +26,3 @@ jobs:
       - name: Set version
         run: npm version --no-git-tag-version ${{github.event.release.tag_name}}
       - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}