From 087db3575792be0633d8c70a9751bb27377204fa Mon Sep 17 00:00:00 2001
From: Tomas Vesely <448809+wham@users.noreply.github.com>
Date: Thu, 18 Dec 2025 11:11:10 -0800
Subject: [PATCH] Enable OIDC trusted publishing authentication for NPM,
 removing the need for NPM_TOKEN secrets

---
 .github/workflows/release.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 781d900..f46cb36 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -341,6 +341,9 @@ jobs:
         with:
           node-version: "20"
           registry-url: "https://registry.npmjs.org"
+          # Enable OIDC trusted publishing authentication
+          # This eliminates the need for NPM_TOKEN secrets
+          # See: https://github.blog/changelog/2024-04-15-npm-provenance-now-supports-github-actions/
 
       - name: Download all artifacts
         uses: actions/download-artifact@v4
@@ -387,16 +390,15 @@ jobs:
           perl -pi -e "s/\"github-brain-(darwin-arm64|darwin-x64|linux-arm64|linux-x64|windows)\": \"0\.0\.0\"/\"github-brain-\$1\": \"$VERSION\"/g" package.json
 
       - name: Publish platform packages
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           for dir in npm/darwin-arm64 npm/darwin-x64 npm/linux-arm64 npm/linux-x64 npm/windows; do
             cd "$dir"
+            # Using --provenance with OIDC authentication (no token needed)
             npm publish --provenance --access public
             cd ../..
           done
 
       - name: Publish main package
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish --provenance --access public
+        run: |
+          # Using --provenance with OIDC authentication (no token needed)
+          npm publish --provenance --access public