Use OIDC for publishing (#7)

danyalaytekin · web-flow · commit 027a6abbdea9 · 2026-01-14T15:38:53.000Z
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -9,6 +9,10 @@ on:
         default: true
         type: boolean
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -19,21 +23,17 @@ jobs:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://registry.npmjs.org
       - run: npm ci
 
       - name: Publish package
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.REGISTRY_PUBLISH_TOKEN }}
         if: >
           (github.event_name == 'release' && github.event.action == 'published') ||
           (github.event_name == 'workflow_dispatch' && !inputs.dryRun)
         run: npm publish --provenance --access public
 
       - name: Publish package (dry run)
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.REGISTRY_PUBLISH_TOKEN }}
         if: >
           (github.event_name == 'release' && github.event.action != 'published') ||
           (github.event_name == 'workflow_dispatch' && inputs.dryRun)
