From 4bb7318584b7e9784795994d945e620abf7c86bb Mon Sep 17 00:00:00 2001
From: Jessica G <jwagantall@linuxfoundation.org>
Date: Fri, 26 Sep 2025 16:07:39 -0700
Subject: [PATCH 1/2] Update node-bindings.yml with permissions

Added permissions for id-token and contents in the workflow.

Signed-off-by: Jessica G <jwagantall@linuxfoundation.org>
---
 .github/workflows/node-bindings.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/node-bindings.yml b/.github/workflows/node-bindings.yml
index 42bf8bd..e3da558 100644
--- a/.github/workflows/node-bindings.yml
+++ b/.github/workflows/node-bindings.yml
@@ -8,6 +8,10 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   ci_checks:
     name: Build checks
@@ -39,6 +43,10 @@ jobs:
         cache-dependency-path: bindings/node/package-lock.json
         registry-url: https://registry.npmjs.org/
 
+    # anchor to the smallest npm version supporting trusted publishing
+    - name: Update npm
+      run: npm install -g npm@11.5.1
+
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
@@ -65,4 +73,3 @@ jobs:
       env:
         NPM_CONFIG_DRY_RUN: ${{ ( github.ref == 'refs/heads/main' || needs.ci_checks.outputs.publish_release == 'true' ) && 'false' || 'true' }}
         NPM_PUBLISH_TAG: ${{ ( needs.ci_checks.outputs.publish_release == 'true' ) && 'next' || 'next-unstable' }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From 047484fd95e5c3666ec128287d2b0d51ca59b983 Mon Sep 17 00:00:00 2001
From: Jessica G <jwagantall@linuxfoundation.org>
Date: Wed, 13 May 2026 12:18:08 -0700
Subject: [PATCH 2/2] Update Node.js version and permissions in workflow

Signed-off-by: Jessica G <jwagantall@linuxfoundation.org>
---
 .github/workflows/node-bindings.yml | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/node-bindings.yml b/.github/workflows/node-bindings.yml
index e3da558..8a172cf 100644
--- a/.github/workflows/node-bindings.yml
+++ b/.github/workflows/node-bindings.yml
@@ -8,10 +8,6 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
-permissions:
-  id-token: write  # Required for OIDC
-  contents: read
-
 jobs:
   ci_checks:
     name: Build checks
@@ -21,6 +17,9 @@ jobs:
     name: Build Node.js bindings
     needs: ci_checks
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write  # Required for OIDC
+      contents: read
 
     steps:
     - uses: actions/checkout@v4
@@ -38,14 +37,14 @@ jobs:
 
     - uses: actions/setup-node@v4
       with:
-        node-version: 20
+        node-version: 24
         cache: npm
         cache-dependency-path: bindings/node/package-lock.json
         registry-url: https://registry.npmjs.org/
 
-    # anchor to the smallest npm version supporting trusted publishing
+    # Node.js 24 uses npm 11
     - name: Update npm
-      run: npm install -g npm@11.5.1
+      run: npm install -g npm@11
 
     - name: Set up Go
       uses: actions/setup-go@v5