From 9d7e79b28a9c816a1ecdfecb236f5b310b68bbde Mon Sep 17 00:00:00 2001
From: Pietro Bongiovanni <pietro.bongiovanni@mollie.com>
Date: Fri, 12 Jun 2026 09:09:08 +0200
Subject: [PATCH] ci(release): use npm trusted publishing via OIDC

Grant id-token write permission, upgrade npm to a version that supports
trusted publishing, and drop NPM_TOKEN so semantic-release authenticates
to the registry via OIDC instead of a long-lived token.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2c1224e1..31c2d3f2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,14 +7,19 @@ jobs:
   release:
     name: release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           cache: npm
           node-version: lts/*
+      - run: npm install -g npm@latest
       - run: npm clean-install
       - run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}