From 84af6d08eaa3d80935b8509eebb0ae40897205a7 Mon Sep 17 00:00:00 2001
From: Sam Willis <sam.willis@gmail.com>
Date: Thu, 15 Jan 2026 09:33:17 +0000
Subject: [PATCH 1/2] feat: enable npm trusted publishing (OIDC)

Configure the changesets-release job to use npm's Trusted Publishing
feature instead of long-lived npm tokens. This uses OpenID Connect
(OIDC) for authentication, providing better security through short-lived,
workflow-specific credentials.

Changes:
- Add id-token: write permission for OIDC token generation
- Remove NPM_TOKEN secret (no longer needed with trusted publishing)

See: https://docs.npmjs.com/trusted-publishers
---
 .github/workflows/build_and_test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index 3a18acca4..b7e3f4462 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -340,6 +340,7 @@ jobs:
   changesets-release:
     if: github.event_name == 'push'
     permissions:
+      id-token: write # Required for npm trusted publishing (OIDC)
       contents: write # to create release (changesets/action)
       issues: write # to post issue comments (changesets/action)
       pull-requests: write # to create pull request (changesets/action)
@@ -377,4 +378,3 @@ jobs:
           title: 'chore: publish new package versions'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

From 6a3c0bd458b0166e3dff26a1ff23d7c3445bd460 Mon Sep 17 00:00:00 2001
From: Sam Willis <sam.willis@gmail.com>
Date: Thu, 15 Jan 2026 09:37:54 +0000
Subject: [PATCH 2/2] chore: upgrade to Node.js 24 for changesets-release job

npm trusted publishing requires npm 11.5.1+, which is bundled
with Node.js 24 (npm 11.6.2). Node.js 20 only includes npm 10.8.2.
---
 .github/workflows/build_and_test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
index b7e3f4462..8611fab3c 100644
--- a/.github/workflows/build_and_test.yml
+++ b/.github/workflows/build_and_test.yml
@@ -352,7 +352,7 @@ jobs:
       - uses: pnpm/action-setup@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 24  # Required for npm trusted publishing (npm 11.5.1+)
           cache: pnpm
 
       - name: Download PGlite WASM build artifacts