From e2c96e6b03a205839ba517992d769eac31164ed7 Mon Sep 17 00:00:00 2001
From: "Dimitrios C. Michalakos" <dimitris@jmike.gr>
Date: Wed, 22 Oct 2025 17:54:38 +0300
Subject: [PATCH] chore: modernize GA workflows + use OIDC to authenticate with
 npm

---
 .github/workflows/ci.yml      | 17 ++++++++---------
 .github/workflows/release.yml | 11 ++++++++---
 .nvmrc                        |  2 +-
 3 files changed, 17 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4ad9146..b638118 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -4,9 +4,6 @@ on:
   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
 
-env:
-  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-
 jobs:
   block-autosquash:
     if: github.event.pull_request.draft == false
@@ -24,8 +21,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
 
@@ -33,7 +31,7 @@ jobs:
         id: npm-cache
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
+          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json', '.nvmrc') }}
 
       - uses: actions/cache@v4
         with:
@@ -53,8 +51,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
 
@@ -62,7 +61,7 @@ jobs:
         id: npm-cache
         with:
           path: '**/node_modules'
-          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
+          key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json', '.nvmrc') }}
 
       - uses: actions/cache@v4
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c4cda11..4e28796 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,20 +5,25 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   release:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v4
         with:
           # This makes action fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
 
       - name: Setup Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version-file: '.nvmrc'
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install Dependencies
         run: npm ci
@@ -27,6 +32,6 @@ jobs:
         uses: changesets/action@v1
         with:
           publish: npm run release
+          commit: 'chore: version packages'
         env:
           GITHUB_TOKEN: ${{ secrets.CHANGESET_RELEASE_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.nvmrc b/.nvmrc
index 53d1c14..a45fd52 100644
--- a/.nvmrc
+++ b/.nvmrc
@@ -1 +1 @@
-v22
+24