From dcc79168bfb3dfdd249bffe41791d75b9e6cd852 Mon Sep 17 00:00:00 2001
From: Fedor Indutny <indutny@signal.org>
Date: Tue, 25 Nov 2025 13:08:43 -0800
Subject: [PATCH] chore: use OIDC for workflow

---
 .github/workflows/publish.yaml | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 0751f0d..d8b7753 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -119,6 +119,8 @@ jobs:
     name: Publish
 
     permissions:
+      # Required for OIDC
+      id-token: 'write'
       # Needed for ncipollo/release-action.
       contents: 'write'
 
@@ -165,8 +167,6 @@ jobs:
 
       - name: Publish production
         run: pnpm publish --tag '${{ github.event.inputs.npm_tag }}' --access public --no-git-checks ${{ inputs.dry_run && '--dry-run' || ''}}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Rename symbols
         run: |
@@ -205,5 +205,3 @@ jobs:
 
       - name: Publish profiling
         run: pnpm publish --tag 'profiling' --access public --no-git-checks ${{ inputs.dry_run && '--dry-run' || ''}}
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}