ci: enable trusted publishing for npm

hatemhosny · hatemhosny · commit 080fa8b9c9f9 · 2025-12-07T15:58:32.000+02:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,10 @@ on:
       - develop
     types: [closed]
 
+permissions:
+  id-token: write # Required for OIDC
+  contents: write
+
 env:
   NODE_VERSION: 24.x
 
@@ -39,6 +43,10 @@ jobs:
           cache: "npm"
           cache-dependency-path: "**/package-lock.json"
 
+      # Ensure npm 11.5.1 or later is installed (for OIDC)
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: npm ci
 
@@ -91,12 +99,8 @@ jobs:
 
       - name: Publish SDK to NPM
         if: startsWith(github.head_ref, 'releases/sdk-v')
-        run: |
-          echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" > ~/.npmrc
-          npm publish --access=public
         working-directory: ./build/sdk
-        env:
-          NPM_TOKEN: ${{secrets.NPM_TOKEN}}
+        run: npm publish --access=public
 
       - name: Create pull request to main (App)
         if: startsWith(github.head_ref, 'releases/v')
