From 4c1a7aea059785d06cd20696d41b47db0c20ca97 Mon Sep 17 00:00:00 2001
From: Berend Sliedrecht <berend@animo.id>
Date: Thu, 12 Feb 2026 15:27:21 +0100
Subject: [PATCH] feat: trusted publishing

Signed-off-by: Berend Sliedrecht <berend@animo.id>
---
 .github/workflows/release.yml | 33 +++++++++++----------------------
 1 file changed, 11 insertions(+), 22 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 0bd09f6..8ab3aea 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,33 +7,30 @@ on:
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
+permissions:
+  contents: write
+  id-token: write # Needed for npm trusted publishing
+  pull-requests: write
+
 jobs:
   release-stable:
     runs-on: ubuntu-24.04
     name: Release Stable
-    permissions:
-      contents: write
-      id-token: write # Required for npm trusted publishing
-      pull-requests: write
     outputs:
       published: ${{ steps.changesets.outputs.published }}
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - uses: pnpm/action-setup@v4
-
       - name: Setup NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 22
           cache: "pnpm"
-          registry-url: "https://registry.npmjs.org"
 
-      # Ensure npm >= 11.5.1 for trusted publishing support.
-      # Automatically fetch future security updates
       - name: Update npm
-        run: npm install -g npm@^11.5.1
+        run: npm install -g npm@^11
 
       - name: Install Dependencies
         run: pnpm install --frozen-lockfile
@@ -64,27 +61,19 @@ jobs:
     name: Release Unstable
     needs: release-stable
     if: always() && github.event_name == 'push' && needs.release-stable.outputs.published == 'false'
-    permissions:
-      contents: write
-      id-token: write # Required for npm trusted publishing
-      pull-requests: write
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
 
       - uses: pnpm/action-setup@v4
-
       - name: Setup NodeJS
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 20
           cache: "pnpm"
-          registry-url: "https://registry.npmjs.org"
 
-      # Ensure npm >= 11.5.1 for trusted publishing support.
-      # Automatically fetch future security updates
       - name: Update npm
-        run: npm install -g npm@^11.5.1
+        run: npm install -g npm@^11
 
       - name: Install Dependencies
         run: pnpm install --frozen-lockfile