From 968ec9baaff1c211873c0464c35277b57bc6e917 Mon Sep 17 00:00:00 2001
From: Luciano Hanyon Wu <han4wluc@yuusoft.com>
Date: Fri, 13 Feb 2026 22:34:56 +0800
Subject: [PATCH] ci: switch npm publish to GitHub OIDC trusted publishing

---
 .github/workflows/release-package.yaml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release-package.yaml b/.github/workflows/release-package.yaml
index 35480d9..5477278 100644
--- a/.github/workflows/release-package.yaml
+++ b/.github/workflows/release-package.yaml
@@ -2,12 +2,15 @@ name: Publish package yahtml to npm
 on:
   release:
     types: [published]
-  # Allows you to run this workflow manually from the Actions tab
+  # Keep manual publish from the Actions tab
   workflow_dispatch:
 
 jobs:
   build:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
@@ -16,14 +19,12 @@ jobs:
         with:
           bun-version: 1.2.2
 
-      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v3
+      # Setup npm registry for trusted publishing via OIDC
+      - uses: actions/setup-node@v4
         with:
           node-version: "20.x"
           registry-url: "https://registry.npmjs.org"
 
       # Publish to npm
       - name: Publish to npm
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+        run: npm publish --provenance --access public