From 0771c4ac9c24798f064d9295395ec668c69d461b Mon Sep 17 00:00:00 2001
From: Danyal Aytekin <danyal@fubase.com>
Date: Sat, 3 Jan 2026 22:34:21 +0000
Subject: [PATCH] Use OIDC for publishing

---
 .github/workflows/publish.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 017a991..92b09d1 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -9,6 +9,10 @@ on:
         default: true
         type: boolean
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -19,21 +23,17 @@ jobs:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://registry.npmjs.org
       - run: npm ci
 
       - name: Publish package
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.REGISTRY_PUBLISH_TOKEN }}
         if: >
           (github.event_name == 'release' && github.event.action == 'published') ||
           (github.event_name == 'workflow_dispatch' && !inputs.dryRun)
         run: npm publish --provenance --access public
 
       - name: Publish package (dry run)
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.REGISTRY_PUBLISH_TOKEN }}
         if: >
           (github.event_name == 'release' && github.event.action != 'published') ||
           (github.event_name == 'workflow_dispatch' && inputs.dryRun)