From 2771a5d30bac2b3402837d4423b75c079e46da9e Mon Sep 17 00:00:00 2001
From: Jessica G <jwagantall@linuxfoundation.org>
Date: Tue, 7 Oct 2025 17:50:10 -0700
Subject: [PATCH] chore: Update release workflow with id-token permission

Added permission for id-token and updated npm version.

Signed-off-by: Jessica G <jwagantall@linuxfoundation.org>
---
 .github/workflows/release.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 27a295c69..5fe800385 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -25,6 +25,7 @@ on:
 permissions:
   contents: write
   packages: write
+  id-token: write  # Required for OIDC
 
 jobs:
   unified_release:
@@ -85,6 +86,10 @@ jobs:
           node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
+      # anchor to the smallest npm version supporting trusted publishing
+      - name: Update npm
+        run: npm install -g npm@11.5.1
+
       - name: Update gradle.properties with new version
         run: |
           sed -i '' 's/^version = *.*.*/version = ${{ github.event.inputs.version }}/' gradle.properties
@@ -133,8 +138,6 @@ jobs:
       - name: NPM publish
         if: ${{ inputs.release_ts }}
         run: ./gradlew :apollo:publishJsPackageToNpmjsRegistry
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - uses: crazy-max/ghaction-import-gpg@v6
         id: import-gpg