From 9c50af6b49a398a1faff5052451625dc63a7ddb5 Mon Sep 17 00:00:00 2001
From: Jehiah Czebotar <45028+jehiah@users.noreply.github.com>
Date: Wed, 24 Jun 2026 16:38:28 +0000
Subject: [PATCH] Use trusted publishing for npm release

Remove NODE_AUTH_TOKEN since the workflow uses OIDC trusted publishing
(id-token: write + --provenance). Upgrade npm to ensure a version that
supports trusted publishing.
---
 .github/workflows/npm_release.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/npm_release.yaml b/.github/workflows/npm_release.yaml
index e72093c..ec1dfc5 100644
--- a/.github/workflows/npm_release.yaml
+++ b/.github/workflows/npm_release.yaml
@@ -15,8 +15,8 @@ jobs:
         with:
           node-version: '22.x'
           registry-url: 'https://registry.npmjs.org'
+      # Trusted publishing requires npm >= 11.5.1
+      - run: npm install -g npm@latest
       - run: npm ci
       - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}