From be7d7708bbb5d966c55e51d203dc1a940ebfa207 Mon Sep 17 00:00:00 2001
From: Tom Dupuis <60640908+tomdps@users.noreply.github.com>
Date: Sun, 14 Jun 2026 11:37:45 +0200
Subject: [PATCH 1/2] ci(release): promote trusted publishing workflow

---
 .github/workflows/ci.yml      | 6 +++++-
 .github/workflows/release.yml | 5 ++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5fccf82..df8995f 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -103,7 +103,11 @@ jobs:
     if: |
       github.ref == 'refs/heads/main' ||
       (github.event_name == 'pull_request' && github.base_ref == 'main') ||
-      (github.event_name == 'merge_group' && github.event.merge_group.base_ref == 'refs/heads/main')
+      (github.event_name == 'merge_group' && (
+        github.event.merge_group.base_ref == 'main' ||
+        github.event.merge_group.base_ref == 'refs/heads/main' ||
+        startsWith(github.ref, 'refs/heads/gh-readonly-queue/main/')
+      ))
     strategy:
       fail-fast: false
       matrix:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7789dce..8f4497d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -133,8 +133,8 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 22
-          cache: 'npm'
+          node-version: 24
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: npm ci
@@ -164,7 +164,6 @@ jobs:
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           # SAFETY: Manual triggers MUST be dry-run only
           if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then

From 4cea35f4a744e3f1fa7a7e24c6b1fd09e6d97cb9 Mon Sep 17 00:00:00 2001
From: Tom Dupuis <60640908+tomdps@users.noreply.github.com>
Date: Sun, 14 Jun 2026 11:45:07 +0200
Subject: [PATCH 2/2] ci: always run install matrix for merge queue

---
 .github/workflows/ci.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index df8995f..5e819fa 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -103,11 +103,7 @@ jobs:
     if: |
       github.ref == 'refs/heads/main' ||
       (github.event_name == 'pull_request' && github.base_ref == 'main') ||
-      (github.event_name == 'merge_group' && (
-        github.event.merge_group.base_ref == 'main' ||
-        github.event.merge_group.base_ref == 'refs/heads/main' ||
-        startsWith(github.ref, 'refs/heads/gh-readonly-queue/main/')
-      ))
+      github.event_name == 'merge_group'
     strategy:
       fail-fast: false
       matrix: