From ca279eef9a1f60a04f5bedb3071dc83e3c433e9c Mon Sep 17 00:00:00 2001
From: Mikalai Silivonik <msilivonik@snapchat.com>
Date: Wed, 20 May 2026 16:22:56 -0400
Subject: [PATCH] Publish to npm via OIDC Trusted Publishing

Replace the long-lived NPM_TOKEN secret with short-lived OIDC tokens
exchanged with npm at publish time. Grants the job id-token: write,
upgrades npm to the latest version (Trusted Publishing requires
npm >= 11.5.1; Node 20 ships with npm 10), drops NODE_AUTH_TOKEN, and
adds --provenance for attestation.

Requires the package to be configured as a Trusted Publisher on
npmjs.com pointing at this repo and workflow filename (npm.yaml).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/npm.yaml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/npm.yaml b/.github/workflows/npm.yaml
index 30d37bc..acaba81 100644
--- a/.github/workflows/npm.yaml
+++ b/.github/workflows/npm.yaml
@@ -10,6 +10,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
     timeout-minutes: 10
+    permissions:
+      contents: read
+      id-token: write
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
@@ -21,6 +24,9 @@ jobs:
         cache: 'npm'
         registry-url: 'https://registry.npmjs.org/'
 
+    - name: Upgrade npm for Trusted Publishing
+      run: npm install -g npm@latest
+
     - name: Determine pre-release tag
       id: release-tag
       run: |
@@ -43,6 +49,4 @@ jobs:
       run: npm run compile
 
     - name: Publish
-      run: npm publish --access public --tag ${{ env.tag }}
-      env:
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      run: npm publish --provenance --access public --tag ${{ env.tag }}