From 1ad64dc836d76d5cfc5584056d2cc3d480141398 Mon Sep 17 00:00:00 2001
From: Michael Smith <msmith@mindbridge.ai>
Date: Fri, 26 Sep 2025 10:25:37 -0400
Subject: [PATCH] Configure GitHub/npmjs trusted publishing

npm added Trusted Publishing a few months back. It uses OpenID Connect
to manage an automatically rotated token between GitHub and npmjs.

Given recent attacks on the npm ecosystem, I'd like to adopt this. I've
set up the link on the npmjs side following the docs at
https://docs.npmjs.com/trusted-publishers
---
 .github/workflows/ts_serialize_release.yml | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ts_serialize_release.yml b/.github/workflows/ts_serialize_release.yml
index a63fbde9..3559e246 100644
--- a/.github/workflows/ts_serialize_release.yml
+++ b/.github/workflows/ts_serialize_release.yml
@@ -6,6 +6,11 @@ on:
   push:
     tags: ["v*.*.*"]
 
+# OIDC setup for trusted publishing
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   test:
     runs-on: ${{ matrix.os }}
@@ -76,9 +81,10 @@ jobs:
           draft: false
           prerelease: false
 
+      - name: Update npm to 11.5.1 or later for trusted publishing
+        run: npm install -g npm@latest
+
       - name: Deploy to NPM
         run: |
           cd dist
           npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}