From 0e47c06f65ec2f395ee438cee0a049b9fe82701a Mon Sep 17 00:00:00 2001
From: Bart Veneman <bartveneman@gmail.com>
Date: Sat, 17 Jan 2026 21:38:38 +0100
Subject: [PATCH] chore: setup release.yml for OIDC publishing

closes #131
---
 .github/workflows/release.yml | 29 +++++++++++------------------
 1 file changed, 11 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index c21436d..1c1695f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,28 +7,21 @@ on:
   release:
     types: [created]
 
-jobs:
-  build:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: npm install --ignore-scripts --no-audit --no-fund
-      - run: npm test
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
 
+jobs:
   publish-npm:
-    needs: build
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v5
+      - uses: actions/setup-node@v5
         with:
-          cache: "npm"
+          node-version: 22
           registry-url: https://registry.npmjs.org/
-      - run: npm install --ignore-scripts --no-audit --no-fund
+      - run: npm install -g npm@latest
+      - run: npm ci --ignore-scripts --no-fund --no-audit
+      - run: npm test
       - run: npm run build
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+      - run: npm publish --access public