From 576162ef497307d4f0936b950eef6448ba33ae22 Mon Sep 17 00:00:00 2001
From: Joe Heffernan <interim17@gmail.com>
Date: Wed, 18 Feb 2026 09:11:19 -0800
Subject: [PATCH] update ci to use OIDC and trusted publishing instead of NPM
 tokens

---
 .github/workflows/ci.yml | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d731cb43..20f64f4a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -3,18 +3,25 @@
 
 name: Node.js CI
 env:
-    NODE_VERSION: "20.x"
+    NODE_VERSION: "24"
 
 on: [push]
 
+permissions:
+  # Required for OIDC token for NPM Trusted Publishers.
+  # See https://docs.github.com/en/actions/concepts/security/openid-connect
+  # and https://docs.npmjs.com/trusted-publishers.
+  id-token: write
+  contents: read
+
 jobs:
     lint:
         name: ✅ Lint
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #4.3.1
             - name: Setup Node
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0
               with:
                   node-version: ${{env.NODE_VERSION}}
             - run: npm ci
@@ -23,9 +30,9 @@ jobs:
         name: Unit Test
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #4.3.1
             - name: Setup Node
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0
               with:
                   node-version: ${{env.NODE_VERSION}}
             - run: npm ci
@@ -34,9 +41,9 @@ jobs:
         name: Type Check
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #4.3.1
             - name: Setup Node
-              uses: actions/setup-node@v4
+              uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0
               with:
                   node-version: ${{env.NODE_VERSION}}
             - run: npm ci
@@ -49,8 +56,8 @@ jobs:
         needs: [lint, typeCheck, test]
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
-            - uses: actions/setup-node@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #4.3.1
+            - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0
               with:
                   node-version: ${{env.NODE_VERSION}}
             - run: npm ci
@@ -70,13 +77,12 @@ jobs:
         needs: [lint, typeCheck, test]
         runs-on: ubuntu-latest
         steps:
-            - uses: actions/checkout@v4
-            - uses: actions/setup-node@v4
+            - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 #4.3.1
+            - uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 #v6.2.0
               with:
                   node-version: ${{env.NODE_VERSION}}
                   registry-url: https://registry.npmjs.org/
+                  package-manager-cache: false # Do not cache when publishing to prevent cache pollution attacks
             - run: npm ci
             - run: npm run build
-            - run: npm publish
-              env:
-                  NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+            - run: npm publish --provenance  # Provenance required for Trusted Publishers