From c62c1193095258006f53f6aed56db46d98310c0e Mon Sep 17 00:00:00 2001
From: Bart Veneman <bartveneman@gmail.com>
Date: Mon, 19 Jan 2026 23:33:23 +0100
Subject: [PATCH] use trusted publishing

---
 .github/workflows/release.yml | 30 +++++++++++-------------------
 1 file changed, 11 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1bb41a7..d6934f4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,29 +7,21 @@ on:
   release:
     types: [created]
 
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          cache: "npm"
-      - run: npm install --no-fund --no-audit --ignore-scripts
-      - run: npm run build
-      - run: npm test
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
 
+jobs:
   publish-npm:
-    needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
-          cache: "npm"
+          node-version: 22
           registry-url: https://registry.npmjs.org/
-      - run: npm install --no-fund --no-audit --ignore-scripts
+      - run: npm install -g npm@latest
+      - run: npm ci --ignore-scripts --no-fund --no-audit
       - run: npm run build
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+      - run: npm test
+      - run: npm publish --access public