From ec891611f47984de51abdcd9588088f590ecdfa7 Mon Sep 17 00:00:00 2001
From: Tobias <tobias.gabriel@sap.com>
Date: Tue, 5 Aug 2025 09:01:24 +0200
Subject: [PATCH] switch to trusted publishing for npmjs.com

---
 .github/workflows/release.yml | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f26a618..14fe794 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -16,11 +16,14 @@ jobs:
           node-version: "20.x"
           # registry-url is required for releasing packages
           registry-url: "https://registry.npmjs.org"
+
+      - name: Install latest npm cli
+        run: npm install -g npm@latest
+
       - run: npm ci
 
       - name: Publish package
-        # --provenance enables the automatic generation of provenance statements
+        # --provenance enables the automatic generation of provenance statements (when using trusted publisher, this is automatically enabled and therefore optional)
         # --access public is only hard required for the initial release, but it doesn't hurt having it setup
+        # npm version >=11.5.1 required for trusted publisher
         run: npm publish --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}