From cbaa1c84de505aaf474331b8c21f283f32eb1bb3 Mon Sep 17 00:00:00 2001
From: Gregor Martynus <39992+gr2m@users.noreply.github.com>
Date: Sat, 21 Mar 2026 10:31:15 -0700
Subject: [PATCH] ci(release): add permissions for OIDC and npm provenance

Add id-token, contents, pull-requests, and issues permissions.
Remove NPM_TOKEN in favor of trusted publishing via OIDC.
Update actions/checkout and actions/setup-node to v4.
---
 .github/workflows/release.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 9062782..55aab06 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,13 +6,19 @@ name: Release
       - main
       - next
       - beta
+permissions:
+  id-token: write # to enable use of OIDC for trusted publishing and npm provenance
+  contents: write # tags and releases
+  pull-requests: write # comments
+  issues: write # comments
+
 jobs:
   release:
     name: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: lts/*
           cache: npm
@@ -20,4 +26,3 @@ jobs:
       - run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}