From 55b22d8e7e7d25a1a2951541b64cb902d536bc7b Mon Sep 17 00:00:00 2001
From: Karan Singh Kochar <pyrotank41@gmail.com>
Date: Sun, 21 Dec 2025 13:31:23 -0600
Subject: [PATCH] chore: switch to Trusted Publishing for npm (remove
 NPM_TOKEN)

Use OIDC-based Trusted Publishing instead of long-lived tokens.
More secure: no secrets to manage, automatic GitHub authentication.

npm will authenticate via GitHub Actions OIDC token automatically.
The 'id-token: write' permission enables this.
---
 .github/workflows/npm-publish.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 6357ad7..94e806e 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -85,11 +85,9 @@ jobs:
             echo "✅ Version $PACKAGE_VERSION is new. Ready to publish!"
           fi
       
-      # 9. Publish to npm
+      # 9. Publish to npm (using Trusted Publishing via OIDC)
       - name: Publish to npm
         run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       
       # 10. Success message
       - name: Success notification