From 0a062b5003e2e09fbcda7138c745684647f3056e Mon Sep 17 00:00:00 2001
From: ghiscoding <gbeaulac@gmail.com>
Date: Sat, 27 Dec 2025 22:17:48 -0500
Subject: [PATCH] chore: publish to npm with OIDC

---
 .github/workflows/release.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b30f890adc..3c88ad2923 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -18,7 +18,7 @@ jobs:
       - name: Check commit message and create tag
         run: |
           COMMIT_MSG=$(git log -1 --pretty=%B)
-          
+
           if [[ $COMMIT_MSG =~ ^(v[0-9]+\.[0-9]+\.[0-9]+) ]]; then
             TAG_NAME="${BASH_REMATCH[1]}"
             git config user.name "github-actions[bot]"
@@ -34,6 +34,9 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish-npm:
+    permissions:
+      contents: read
+      id-token: write # to enable use of OIDC for npm provenance
     runs-on: ubuntu-latest
     needs: [auto-tag]
     if: github.event_name == 'workflow_dispatch' || success()
@@ -46,6 +49,7 @@ jobs:
         with:
           node-version: 24
           cache: pnpm
+          registry-url: "https://registry.npmjs.org/"
 
       - name: Install Lerna Lite
         run: pnpm add -g @lerna-lite/cli @lerna-lite/publish
@@ -56,9 +60,6 @@ jobs:
       - name: Build
         run: npm run build
 
-      - name: NPM Login
-        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
-
       - name: Publish to NPM
         run: lerna publish from-package --yes