From e732a7ba6e941a50ca9bb095e0f98297cfd260ff Mon Sep 17 00:00:00 2001
From: Dario Anongba Varela <dario.anongba@gmail.com>
Date: Mon, 16 Mar 2026 20:53:12 +0100
Subject: [PATCH] ci: trusted publisher

---
 .github/workflows/main.yml            | 3 +--
 .github/workflows/publish-release.yml | 9 ++-------
 2 files changed, 3 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 0e4e67a..ab1d318 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -61,6 +61,5 @@ jobs:
     name: Publish release
     permissions:
       contents: write
+      id-token: write
     uses: ./.github/workflows/publish-release.yml
-    secrets:
-      NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index 231f361..4eec7b5 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -2,9 +2,6 @@ name: Publish Release
 
 on:
   workflow_call:
-    secrets:
-      NPM_TOKEN:
-        required: true
 
 jobs:
   publish-release:
@@ -110,13 +107,11 @@ jobs:
           fail-on-cache-miss: true
       - name: Publish web
         working-directory: pkg-web
-        run: npm publish --access=public
+        run: npm publish --access=public --provenance
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           SKIP_PREPACK: true
       - name: Publish node
         working-directory: pkg-node
-        run: npm publish --access=public
+        run: npm publish --access=public --provenance
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           SKIP_PREPACK: true