From 29e89755c5d3de92fad4624e8f4fa01e876a83ee Mon Sep 17 00:00:00 2001
From: Thomas Bouffard <27200110+tbouffard@users.noreply.github.com>
Date: Wed, 4 Mar 2026 16:08:29 +0100
Subject: [PATCH] ci: publish npm package with trusted publisher

No longer use a token to increase security.
---
 .github/workflows/publish-npm.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-npm.yml b/.github/workflows/publish-npm.yml
index 19bb7a8989..923701a2a0 100644
--- a/.github/workflows/publish-npm.yml
+++ b/.github/workflows/publish-npm.yml
@@ -7,7 +7,7 @@ jobs:
   build:
     runs-on: ubuntu-24.04
     permissions:
-      id-token: write
+      id-token: write # required for OIDC: trusted publisher and "npm provenance"
       contents: write # required to get token for "npm provenance" and to dispatch event
     steps:
       - name: Set VERSION
@@ -18,9 +18,9 @@ jobs:
         uses: ./.github/actions/build-setup
         with:
           registry-url: 'https://registry.npmjs.org'
-      - run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      # no token used, use trusted publisher setup instead (https://docs.npmjs.com/trusted-publishers)
+      - name: Publish to NPM
+        run: npm publish --provenance --access public
       - name: Trigger workflows in charge of notifying other repositories
         uses: peter-evans/repository-dispatch@v4
         with: