From 49403946afd6b22c8eb4800d07bf8196ff7daf2e Mon Sep 17 00:00:00 2001
From: Petar Todorovic <petar@stakek.it>
Date: Mon, 19 Jan 2026 13:03:22 +0100
Subject: [PATCH] ci: trusted publishing

---
 .github/workflows/release.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f9cdc912..d76ba37b 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -26,6 +26,10 @@ jobs:
 
       - uses: jdx/mise-action@v2
 
+      # npm 11.5.1 or later is required for trusted publishing
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: Fix executable files for changesets
         run: |
           chmod -x .husky/commit-msg
@@ -43,4 +47,5 @@ jobs:
           commitMode: github-api
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # Use OIDC for npm authentication instead of NPM_TOKEN
+          NPM_TOKEN: "" # https://github.com/changesets/changesets/issues/1152#issuecomment-3190884868