From 93db8ca4faaaf946e1abbda65ff1d8f54104003f Mon Sep 17 00:00:00 2001
From: Eduardo Roth <eduardo@eduardoroth.dev>
Date: Thu, 19 Mar 2026 16:27:10 -0600
Subject: [PATCH 1/2] chore(gh): remove disabled workflow

---
 .github/workflows/release.yml | 92 -----------------------------------
 1 file changed, 92 deletions(-)
 delete mode 100644 .github/workflows/release.yml

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
deleted file mode 100644
index 94f8ef1b..00000000
--- a/.github/workflows/release.yml
+++ /dev/null
@@ -1,92 +0,0 @@
-name: Release
-on:
-  push:
-    branches:
-      - main
-  workflow_dispatch:
-
-permissions:
-  contents: read
-
-jobs:
-  release-please:
-    runs-on: ubuntu-latest
-    outputs:
-      release_created:  ${{ steps.release.outputs.release_created }}
-    permissions:
-      contents: write
-      pull-requests: write
-    steps:
-      - uses: googleapis/release-please-action@v4
-        id: release
-        with:
-          token: ${{ secrets.GITHUB_TOKEN }}
-          config-file: release-please-config.json
-          manifest-file: .release-please-manifest.json
-
-  release:
-    needs: release-please
-    if: ${{ needs.release-please.outputs.release_created }}
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      id-token: write
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
-        with:
-          node-version-file: '.nvmrc'
-          registry-url: 'https://registry.npmjs.org'
-      - run: npm ci
-      - run: npm run build
-      - name: Create NPM release
-        run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.HD_CLI_NPM_TOKEN }}
-
-  publish-images:
-    name: Publish Images
-    runs-on: ubuntu-latest
-    permissions:
-      packages: write
-    steps:
-      - uses: actions/checkout@v6
-      - name: Parse tag
-        run: echo "VERSION=${{ github.ref_name }}" >> $GITHUB_ENV
-
-      - uses: docker/metadata-action@v5
-        id: meta
-        with:
-          # Enable when we have Docker Hub set up
-          images: |
-            name=ghcr.io/herodevs/eol-scan
-            name=docker.io/herodevs/eol-scan,enable=false
-          tags: |
-            type=sha,format=long
-            type=raw,value=latest
-            type=raw,value=${{ env.VERSION }}
-
-      - uses: docker/login-action@v3
-        # Enable when we have Docker Hub set up
-        if: ${{ false }}
-        with:
-          username: ${{ vars.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_TOKEN }}
-
-      - uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
-      - uses: docker/setup-buildx-action@v3
-      - uses: docker/build-push-action@v6
-        with:
-          context: . 
-          file: ./ci/image.Dockerfile
-          platforms: linux/amd64,linux/arm64
-          push: true
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          cache-from: type=gha
-          cache-to: type=gha,mode=max
\ No newline at end of file

From 7657ed5f2d56d03e6afb903bb122ec615f6469e7 Mon Sep 17 00:00:00 2001
From: Eduardo Roth <eduardo@eduardoroth.dev>
Date: Thu, 19 Mar 2026 16:33:18 -0600
Subject: [PATCH 2/2] feat(gh): update workflow to use OIDC

---
 .github/workflows/manual-release.yml | 11 ++++-------
 1 file changed, 4 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/manual-release.yml b/.github/workflows/manual-release.yml
index 782ddaf2..80fe9c33 100644
--- a/.github/workflows/manual-release.yml
+++ b/.github/workflows/manual-release.yml
@@ -133,11 +133,12 @@ jobs:
             --targets=linux-x64,win32-x64,darwin-arm64 \
             --ignore-missing
 
+
   npm-publish:
     runs-on: ubuntu-latest
     needs: [check-version, test, upload-assets]
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-node@v6
@@ -151,15 +152,11 @@ jobs:
 
       # Dry run NPM publish
       - name: Dry run NPM publish
-        run: npm publish --tag ${{ needs.check-version.outputs.oclif_channel }} --provenance --access public --dry-run
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.HD_CLI_NPM_TOKEN }}
+        run: npm publish --tag ${{ needs.check-version.outputs.oclif_channel }} --access public --dry-run # --provenance no longer needed as OIDC uses that by default
 
       # NPM Release
       - name: Create NPM release
-        run: npm publish --tag ${{ needs.check-version.outputs.oclif_channel }} --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.HD_CLI_NPM_TOKEN }}
+        run: npm publish --tag ${{ needs.check-version.outputs.oclif_channel }} --access public # --provenance no longer needed as OIDC uses that by default
 
   publish-images:
     name: Publish Images