From 5ef2eca9991561f616f3120548d3de6b6fb5a2de Mon Sep 17 00:00:00 2001
From: Jannis R <mail@jannisr.de>
Date: Wed, 22 Oct 2025 16:12:16 +0200
Subject: [PATCH] chore: CI: publish to npm using OIDC tokens

see also https://docs.npmjs.com/trusted-publishers
---
 .github/workflows/build.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 56997419..7a2c1d13 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -10,6 +10,9 @@ env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
+permissions:
+  id-token: write # for OIDC-based publishing to npm
+
 jobs:
   build-and-push-docker:
     runs-on: ubuntu-latest
@@ -53,7 +56,9 @@ jobs:
         with:
           node-version: '20.x'
           registry-url: 'https://registry.npmjs.org'
+      # for OIDC-based publishing to npm
+      - name: setup npm v11
+        run: npm install -g npm@11
+
       - run: npm ci
       - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}      
\ No newline at end of file