From f2bfb6feed9b2cfe3eeec3cfd2e5683dbbdd0dd8 Mon Sep 17 00:00:00 2001
From: 343dev <343dev@users.noreply.github.com>
Date: Tue, 23 Dec 2025 07:39:49 +0700
Subject: [PATCH] Configure trusted publishing for npm package

---
 .github/workflows/publish-npm.yml | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 1ef31dd..bc150ce 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -6,20 +6,21 @@ on:
     types: [completed]
     branches: [main]
 
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+
 jobs:
   publish_to_npm:
     runs-on: ubuntu-latest
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    permissions:
-      actions: write # “andymckay/cancel-action” requires “write” access to the “actions” permission
-      id-token: write # Provenance generation in GitHub Actions requires “write” access to the “id-token” permission
     steps:
       -
         name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
       -
         name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: '18.18.0'
           registry-url: 'https://registry.npmjs.org'
@@ -47,6 +48,4 @@ jobs:
       -
         name: Publish to npm
         if: ${{ steps.check.outputs.VERSION_CHANGED == 'true' }}
-        run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public