From c921212a8d8021a034cdd5165b445936f65b2e71 Mon Sep 17 00:00:00 2001
From: raj <raj@phantom.app>
Date: Sun, 21 Jun 2026 12:41:07 -0700
Subject: [PATCH 1/3] ci: switch release workflow to npm Trusted Publishing
 (OIDC)

Security enabled a Trusted Publisher for this repo + release.yml, so publish keylessly via GitHub OIDC instead of the NPM_PUBLISH_TOKEN secret. Adds id-token: write, drops the token, upgrades npm to a Trusted-Publishing-capable version.
---
 .github/workflows/release.yml | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 03229803d..203c1a365 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,12 +1,11 @@
 name: Release
 
-# Publishes @phantom/react-native-fast-image to public npm. The @phantom scope is
-# public on npmjs.org (the wallet's Artifactory registry proxies it), so this mirrors
-# the publish setup used by phantom/react-native-webview, just triggered by a release
-# rather than changesets since this fork is bumped infrequently.
+# Publishes @phantom/react-native-fast-image to public npm via npm Trusted Publishing
+# (keyless OIDC). Security enabled the Trusted Publisher for this repo + this workflow
+# file, so there is no NPM token to manage. Requires `id-token: write` and npm >= 11.5.1.
 #
 # To cut a release: bump "version" in package.json on main, then publish a GitHub
-# Release tagged v<version> (e.g. v8.6.6). This workflow publishes that version.
+# Release tagged v<version> (e.g. v8.6.6), or run this workflow manually.
 
 on:
   release:
@@ -15,6 +14,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   publish:
@@ -26,8 +26,10 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: 20.x
-          registry-url: "https://registry.npmjs.org"
-          scope: "@phantom"
+
+      # Trusted Publishing (OIDC) requires npm >= 11.5.1; Node 20 ships npm 10.x.
+      - name: Upgrade npm
+        run: npm install -g npm@latest
 
       - name: Install dependencies
         run: yarn install --frozen-lockfile
@@ -35,7 +37,6 @@ jobs:
       - name: Build
         run: yarn build
 
+      # No NODE_AUTH_TOKEN: npm exchanges the GitHub OIDC token via the Trusted Publisher.
       - name: Publish
         run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT }}

From 040660564d71a0982749e0eed7792fc6bbed7cf2 Mon Sep 17 00:00:00 2001
From: raj <raj@phantom.app>
Date: Sun, 21 Jun 2026 12:43:52 -0700
Subject: [PATCH 2/3] fix: point package.json repo URLs at the phantom fork

npm Trusted Publishing validates package.json repository.url against the provenance (the building repo). It still pointed at DylanVann/react-native-fast-image, which fails provenance with E422. Update homepage/bugs/repository to phantom/react-native-fast-image.
---
 package.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package.json b/package.json
index 9034f9fc8..86bb2bb3a 100644
--- a/package.json
+++ b/package.json
@@ -9,13 +9,13 @@
         "image",
         "priority"
     ],
-    "homepage": "https://github.com/DylanVann/react-native-fast-image#readme",
+    "homepage": "https://github.com/phantom/react-native-fast-image#readme",
     "bugs": {
-        "url": "https://github.com/DylanVann/react-native-fast-image/issues"
+        "url": "https://github.com/phantom/react-native-fast-image/issues"
     },
     "repository": {
         "type": "git",
-        "url": "https://github.com/DylanVann/react-native-fast-image.git"
+        "url": "git+https://github.com/phantom/react-native-fast-image.git"
     },
     "license": "(MIT AND Apache-2.0)",
     "author": "Dylan Vann <dylan@dylanvann.com> (https://dylanvann.com)",

From b9fbb040f968d65e2e1fffa947745a5b38a847cd Mon Sep 17 00:00:00 2001
From: raj <raj@phantom.app>
Date: Sun, 21 Jun 2026 12:46:21 -0700
Subject: [PATCH 3/3] ci: re-assert repository metadata after build for
 provenance

dv-scripts build rewrites package.json repository.url to the upstream repo, failing Trusted Publishing provenance (E422). Re-set it on the built package.json right before publish.
---
 .github/workflows/release.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 203c1a365..2b3b91e89 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -37,6 +37,15 @@ jobs:
       - name: Build
         run: yarn build
 
+      # `dv-scripts build` resets package.json repository metadata to the upstream
+      # (DylanVann) repo, which fails Trusted Publishing provenance validation
+      # (provenance expects this repo). Re-assert it on the built package.json.
+      - name: Restore repository metadata for provenance
+        run: |
+          npm pkg set repository.type=git
+          npm pkg set repository.url=git+https://github.com/phantom/react-native-fast-image.git
+          npm pkg set homepage=https://github.com/phantom/react-native-fast-image#readme
+
       # No NODE_AUTH_TOKEN: npm exchanges the GitHub OIDC token via the Trusted Publisher.
       - name: Publish
         run: npm publish --access public