From e16e524cd66aa5f02ae9ed6ae0d1f6c90bac109c Mon Sep 17 00:00:00 2001
From: Ron Cohen <ron@reflag.com>
Date: Thu, 5 Feb 2026 12:47:04 +0100
Subject: [PATCH 1/4] fix: use OIDC publishing

---
 .github/workflows/publish.yml | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index a220b0a4..71d8f2af 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write # Required publishing to npm using OIDC
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest

From a3ad79a072491157be79bd3fb9dd413cc3fe0860 Mon Sep 17 00:00:00 2001
From: Ron Cohen <ron@reflag.com>
Date: Thu, 5 Feb 2026 13:05:09 +0100
Subject: [PATCH 2/4] fix: do not use npm login with OIDC publishing

---
 .github/workflows/publish.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 71d8f2af..52c2741d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -28,10 +28,6 @@ jobs:
         run: yarn install --immutable
       - name: Build packages
         run: yarn build
-      - name: npm login
-        run: echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > .npmrc
-        env:
-          NPM_TOKEN: ${{ secrets.REFLAG_NPM_TOKEN }}
       - name: Publish
         run: yarn lerna publish from-package --no-private --yes
       - name: Build docs

From 03a79e454960cb86729f143654d2aed35e374619 Mon Sep 17 00:00:00 2001
From: Ron Cohen <ron@reflag.com>
Date: Thu, 5 Feb 2026 13:07:58 +0100
Subject: [PATCH 3/4] log the npm version

---
 .github/workflows/publish.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 52c2741d..167e5302 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -24,6 +24,8 @@ jobs:
           cache-dependency-path: "**/yarn.lock"
           registry-url: "https://registry.npmjs.org"
           scope: "@reflag"
+      - name: npm version
+        run: npm version
       - name: Install dependencies
         run: yarn install --immutable
       - name: Build packages

From d4dc2e829b1b3612bb382d67c0528db236b9c8fe Mon Sep 17 00:00:00 2001
From: Ron Cohen <ron@reflag.com>
Date: Thu, 5 Feb 2026 13:28:37 +0100
Subject: [PATCH 4/4] fix: upgrade npm

---
 .github/workflows/publish.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 167e5302..0a7e0998 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -24,6 +24,8 @@ jobs:
           cache-dependency-path: "**/yarn.lock"
           registry-url: "https://registry.npmjs.org"
           scope: "@reflag"
+      - name: update npm - remove this once we upgrade Node.js
+        run: npm update
       - name: npm version
         run: npm version
       - name: Install dependencies