From c9e6f056bf11d610a4aa62bf220f66aa89a82fab Mon Sep 17 00:00:00 2001
From: Nicolas Ayral Seydoux <nseydoux@inrupt.com>
Date: Thu, 30 Oct 2025 10:58:13 +0100
Subject: [PATCH] Setup trusted NPMJS publishers

---
 .github/workflows/release.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 52adfdd9c1..8290377c06 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,11 @@ on:
     tags:
       - v[0-9]+.[0-9]+.[0-9]+
 
+# Getting an ID token is required for NPMJS trusted publishers
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 env:
   CI: true
 jobs:
@@ -18,8 +23,7 @@ jobs:
           node-version-file: ".nvmrc"
           registry-url: "https://registry.npmjs.org"
           cache: "npm"
-
+      # Ensure npm 11.5.1 or later for trusted publishing
+      - run: npm install -g npm@latest
       - run: npm ci
-      - run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.INRUPT_NPM_TOKEN }}
+      - run: npm publish