From 4ff440ef20bff73702997bf8516c7d491078e617 Mon Sep 17 00:00:00 2001
From: Tomas Kral <tkral@redhat.com>
Date: Tue, 28 Apr 2026 13:16:57 +0200
Subject: [PATCH] chore(ci): switch to npm trusted publishing with OIDC

Replace long-lived NPM_TOKEN authentication with OIDC-based trusted
publishing for improved supply chain security.
---
 .github/workflows/publish.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index f8f9b82..1dd3c04 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -10,6 +10,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
@@ -30,7 +31,4 @@ jobs:
         run: yarn build
 
       - name: Publish
-        run: yarn npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-          YARN_NPM_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public