From a3380821aed43601bf5da104594419d820fd5b4b Mon Sep 17 00:00:00 2001
From: Sergey Zelenov <sergey.zelenov@mongodb.com>
Date: Mon, 18 May 2026 12:27:53 +0200
Subject: [PATCH 1/4] chore(NODE-7562): migrate main release workflows to npm
 trusted publishers

Replace NPM_TOKEN with OIDC dispatch to npm-publish.yml in release.yml
and release-alpha.yml; remove dormant release-6.8.yml.
---
 .github/workflows/release-6.8.yml   | 113 ----------------------------
 .github/workflows/release-alpha.yml |  15 ++--
 .github/workflows/release.yml       |  14 ++--
 3 files changed, 17 insertions(+), 125 deletions(-)
 delete mode 100644 .github/workflows/release-6.8.yml

diff --git a/.github/workflows/release-6.8.yml b/.github/workflows/release-6.8.yml
deleted file mode 100644
index e3c8c6a2e52..00000000000
--- a/.github/workflows/release-6.8.yml
+++ /dev/null
@@ -1,113 +0,0 @@
-on:
-  push:
-    branches: ['6.8']
-  workflow_dispatch: {}
-
-permissions:
-  contents: write
-  pull-requests: write
-  id-token: write
-
-name: release-68
-
-jobs:
-  release_please:
-    runs-on: ubuntu-latest
-    outputs:
-      release_created: ${{ steps.release.outputs.release_created }}
-    steps:
-      - id: release
-        uses: googleapis/release-please-action@v4
-        with:
-          target-branch: '6.8'
-
-  build:
-    needs: [release_please]
-    name: 'Perform any build or bundling steps, as necessary.'
-    uses: ./.github/workflows/build.yml
-
-  ssdlc:
-    needs: [release_please, build]
-    permissions:
-      # required for all workflows
-      security-events: write
-      id-token: write
-      contents: write
-    environment: release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          ref: '6.8'
-
-      - name: Install Node and dependencies
-        uses: mongodb-labs/drivers-github-tools/node/setup@v3
-        with:
-          ignore_install_scripts: false
-
-      - name: Load version and package info
-        uses: mongodb-labs/drivers-github-tools/node/get_version_info@v3
-        with:
-          npm_package_name: mongodb
-
-      - name: actions/compress_sign_and_upload
-        uses: mongodb-labs/drivers-github-tools/node/sign_node_package@v3
-        with:
-          aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
-          aws_region_name: us-east-1
-          aws_secret_id: ${{ secrets.AWS_SECRET_ID }}
-          npm_package_name: mongodb
-          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
-
-      - name: Copy sbom file to release assets
-        shell: bash
-        if: ${{ '' == '' }}
-        run: cp sbom.json ${{ env.S3_ASSETS }}/sbom.json
-
-      # only used for mongodb-client-encryption
-      - name: Augment SBOM and copy to release assets
-        if: ${{ '' != '' }}
-        uses: mongodb-labs/drivers-github-tools/sbom@v3
-        with:
-          silk_asset_group: ''
-          sbom_file_name: sbom.json
-
-      - name: Generate authorized pub report
-        uses: mongodb-labs/drivers-github-tools/full-report@v3
-        with:
-          release_version: ${{ env.package_version }}
-          product_name: mongodb
-          sarif_report_target_ref: '6.8'
-          third_party_dependency_tool: n/a
-          dist_filenames: artifacts/*
-          token: ${{ github.token }}
-          sbom_file_name: sbom.json
-          evergreen_project: mongo-node-driver-next
-          evergreen_commit: ${{ env.commit }}
-
-      - uses: mongodb-labs/drivers-github-tools/upload-s3-assets@v3
-        with:
-          version: ${{ env.package_version }}
-          product_name: mongodb
-          dry_run: ${{ needs.release_please.outputs.release_created == '' }}
-
-  publish:
-    needs: [release_please, ssdlc, build]
-    environment: release
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v5
-        with:
-          ref: '6.8'
-
-      - name: Install Node and dependencies
-        uses: mongodb-labs/drivers-github-tools/node/setup@v3
-
-        # Just picking a string to put here so that releases from this branch are not marked "latest",
-        # we should go and rm-dist-tag after this is published, no reason to keep it tagged.
-      - run: |
-          npm publish --provenance --tag=tag-for-publishing-older-releases
-          npm dist-tag rm mongodb tag-for-publishing-older-releases
-        if: ${{ needs.release_please.outputs.release_created }}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release-alpha.yml b/.github/workflows/release-alpha.yml
index 2c7c0c8d649..cd0f5b903c7 100644
--- a/.github/workflows/release-alpha.yml
+++ b/.github/workflows/release-alpha.yml
@@ -9,7 +9,8 @@ on:
         type: string
 
 permissions:
-  id-token: write
+  actions: write
+  contents: read
 
 name: release-alpha
 
@@ -26,9 +27,11 @@ jobs:
             exit 1
           fi
       - uses: actions/checkout@v5
-      - name: Install Node and dependencies
-        uses: mongodb-labs/drivers-github-tools/node/setup@v3
-      - run: npm version "${{ inputs.alphaVersion }}" --git-tag-version=false
-      - run: npm publish --provenance --tag=alpha
+      - name: Dispatch npm-publish workflow
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \
+            tag=alpha \
+            version="${{ inputs.alphaVersion }}" \
+            ref="${{ github.sha }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index dae8942a43f..a86db2d120e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,7 +6,7 @@ on:
 permissions:
   contents: write
   pull-requests: write
-  id-token: write
+  actions: write
 
 name: release-latest
 
@@ -96,10 +96,12 @@ jobs:
     steps:
       - uses: actions/checkout@v5
 
-      - name: Install Node and dependencies
-        uses: mongodb-labs/drivers-github-tools/node/setup@v3
-
-      - run: npm publish --provenance --tag=latest
+      - name: Dispatch npm-publish workflow
         if: ${{ needs.release_please.outputs.release_created }}
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \
+            tag=latest \
+            version="$(node -p "require('./package.json').version")" \
+            ref="${{ github.sha }}"

From 39638f7e08c839036bffb60eb0733505be9b2af2 Mon Sep 17 00:00:00 2001
From: Sergey Zelenov <sergey.zelenov@mongodb.com>
Date: Mon, 18 May 2026 12:53:25 +0200
Subject: [PATCH 2/4] fix(NODE-7562): avoid shell injection in release-alpha
 workflow

Move alphaVersion input to an env var so bash does not perform
command substitution on user-controlled input (semgrep finding).
---
 .github/workflows/release-alpha.yml | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release-alpha.yml b/.github/workflows/release-alpha.yml
index cd0f5b903c7..759de2b282b 100644
--- a/.github/workflows/release-alpha.yml
+++ b/.github/workflows/release-alpha.yml
@@ -19,10 +19,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - shell: bash
+        env:
+          ALPHA_VERSION: ${{ inputs.alphaVersion }}
         run: |
           ALPHA_SEMVER_REGEXP="-alpha(\.([0-9]|[1-9][0-9]+))?$"
 
-          if ! [[ "${{ inputs.alphaVersion }}" =~ $ALPHA_SEMVER_REGEXP ]]; then
+          if ! [[ "$ALPHA_VERSION" =~ $ALPHA_SEMVER_REGEXP ]]; then
             echo "Invalid alphaVersion string"
             exit 1
           fi
@@ -30,8 +32,9 @@ jobs:
       - name: Dispatch npm-publish workflow
         env:
           GH_TOKEN: ${{ github.token }}
+          ALPHA_VERSION: ${{ inputs.alphaVersion }}
         run: |
           node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \
             tag=alpha \
-            version="${{ inputs.alphaVersion }}" \
+            version="$ALPHA_VERSION" \
             ref="${{ github.sha }}"

From 466fe9b4c934b14feba6784607fcf51b5539efdf Mon Sep 17 00:00:00 2001
From: Sergey Zelenov <sergey.zelenov@mongodb.com>
Date: Mon, 18 May 2026 13:43:56 +0200
Subject: [PATCH 3/4] fix: move actions:write to publish job level
 (least-privilege)

---
 .github/workflows/release.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a86db2d120e..ac9810e05b6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -6,7 +6,6 @@ on:
 permissions:
   contents: write
   pull-requests: write
-  actions: write
 
 name: release-latest
 
@@ -91,6 +90,9 @@ jobs:
 
   publish:
     needs: [release_please, ssdlc, build]
+    permissions:
+      actions: write
+      contents: read
     environment: release
     runs-on: ubuntu-latest
     steps:

From 4102c02c6732df9ae28c0feb5a2d5ec6e43309e1 Mon Sep 17 00:00:00 2001
From: Sergey Zelenov <sergey.zelenov@mongodb.com>
Date: Tue, 19 May 2026 08:59:44 +0200
Subject: [PATCH 4/4] fix: move inputs to env vars in npm-publish.yml to
 prevent shell injection

---
 .github/workflows/npm-publish.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
index 945259d32d6..7600e7f9a12 100644
--- a/.github/workflows/npm-publish.yml
+++ b/.github/workflows/npm-publish.yml
@@ -36,5 +36,9 @@ jobs:
           ref: ${{ inputs.ref }}
       - name: Install Node and dependencies
         uses: mongodb-labs/drivers-github-tools/node/setup@v3
-      - run: npm version "${{ inputs.version }}" --git-tag-version=false --allow-same-version
-      - run: npm publish --provenance --tag="${{ inputs.tag }}"
+      - run: npm version "$VERSION" --git-tag-version=false --allow-same-version
+        env:
+          VERSION: ${{ inputs.version }}
+      - run: npm publish --provenance --tag="$TAG"
+        env:
+          TAG: ${{ inputs.tag }}