From ecc19cf0a61e1b6b685eed09ba794f074c5f1212 Mon Sep 17 00:00:00 2001
From: Colin Rotherham <work@colinr.com>
Date: Fri, 23 Jan 2026 17:04:24 +0000
Subject: [PATCH] Add trusted publishing for npm package

---
 .github/workflows/release.yml | 7 +++----
 README.md                     | 2 --
 2 files changed, 3 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a3ee55378..36aadc49e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -8,6 +8,9 @@ jobs:
   build:
     runs-on: ubuntu-latest
 
+    permissions:
+      id-token: write
+
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -39,11 +42,7 @@ jobs:
       - name: Publish npm package
         if: ${{ !github.event.release.prerelease }}
         run: npm publish --tag latest
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish npm package (pre-release)
         if: ${{ github.event.release.prerelease }}
         run: npm publish --tag beta
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/README.md b/README.md
index 4b61a13a5..d0cc03c35 100644
--- a/README.md
+++ b/README.md
@@ -62,8 +62,6 @@ Releases run in CI using github actions.
 
 To prepare a release create a new release TAG in github with your release version.
 
-> `NPM_TOKEN` should be stored in the repositories [secrets in GitHub](https://github.com/NHSDigital/nhsuk-react-components/settings/secrets/actions)
-
 - Create a new release with a tag like `major.minor.patch` against main.
 - If the change is a `beta` then select `pre-release` as true, this will make the `tag` point at `beta`. Otherwise the tag will be `latest`.