From 04a7b1d39d0175da21368ae7afcb06c8c4ed8e76 Mon Sep 17 00:00:00 2001
From: Gregor Martynus <39992+gr2m@users.noreply.github.com>
Date: Sat, 21 Mar 2026 10:31:14 -0700
Subject: [PATCH] ci(release): add permissions for OIDC and npm provenance

Add id-token, contents, pull-requests, and issues permissions.
Remove NPM_TOKEN in favor of trusted publishing via OIDC.
Update actions/checkout and actions/setup-node to v4.
---
 .github/workflows/release.yml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2371bde..7cf183d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,13 +5,19 @@
       - main
       - beta
 name: Release
+permissions:
+  id-token: write # to enable use of OIDC for trusted publishing and npm provenance
+  contents: write # tags and releases
+  pull-requests: write # comments
+  issues: write # comments
+
 jobs:
   build:
     name: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: lts/*
       - run: npm ci
@@ -19,4 +25,3 @@ jobs:
       - run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}