From 6606b9c4a0b8281fa80e4ee0d6d23ba1fa4c0a9b Mon Sep 17 00:00:00 2001
From: Will Palmeri <wpalmeri@gmail.com>
Date: Thu, 15 Jan 2026 16:45:59 -0800
Subject: [PATCH] move to trusted npm publishing

Trust relationship already established. Add provenance
---
 .github/workflows/npm_and_docker_publish.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/npm_and_docker_publish.yml b/.github/workflows/npm_and_docker_publish.yml
index 734cc7a..cf8ac28 100644
--- a/.github/workflows/npm_and_docker_publish.yml
+++ b/.github/workflows/npm_and_docker_publish.yml
@@ -3,6 +3,10 @@ on:
   release:
     types: [published]
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   build-publish:
     runs-on: ubuntu-latest
@@ -23,9 +27,7 @@ jobs:
         run: yarn build:all
 
       - name: Publish npm package
-        run: yarn publish:anchor-tests
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: yarn publish:anchor-tests --provenance
 
       - name: Docker Login
         uses: docker/login-action@v2.1.0