From 723db679a641230a796ef79d981bc6ff1c676afb Mon Sep 17 00:00:00 2001
From: ilan ponimansky <ilan@phantom.app>
Date: Mon, 8 Dec 2025 17:57:04 -0500
Subject: [PATCH] feat: trusted publishing

---
 .github/workflows/publish.yml | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d46250d..db757a6 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -34,7 +34,12 @@ jobs:
       packages: write
       pull-requests: write
       issues: write
-    
+      # OIDC
+      id-token: write
+    env:
+      # Force npm to emit provenance (SLSA) when publishing via OIDC.
+      NPM_CONFIG_PROVENANCE: true
+
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -57,7 +62,10 @@ jobs:
         run: |
           corepack enable
           corepack prepare yarn@3.6.1 --activate
-      
+
+      - name: Ensure npm 11.5.1+ for trusted publishing
+        run: npm install -g npm@^11.5.1
+
       - name: Get yarn cache directory path
         id: yarn-cache-dir-path
         run: echo "dir=$(yarn config get cacheFolder)" >> $GITHUB_OUTPUT
@@ -109,7 +117,6 @@ jobs:
         run: ${{ steps.release_cmd.outputs.cmd }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN_PHANTOM_SECURITY_BOT }}
       
       - name: Upload npm logs on failure
         if: failure()