From 1e81b749619dbf9239d2d7153487cfd5ad051c16 Mon Sep 17 00:00:00 2001
From: rawagner <rawagner@redhat.com>
Date: Fri, 31 Oct 2025 10:07:10 +0100
Subject: [PATCH] Update release job to use trusted-publishers flow

---
 .github/workflows/release.yaml | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 21cdf38308..226d4ace2e 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -8,6 +8,10 @@ on:
 env:
   NODE_OPTIONS: '--max-old-space-size=8192'
 
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+
 jobs:
   publish-to-npm:
     runs-on: ubuntu-latest
@@ -21,7 +25,7 @@ jobs:
             exit 1
           fi
 
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
         with:
           ref: ${{ github.event.release.target_commitish }}
           fetch-depth: 0
@@ -42,12 +46,7 @@ jobs:
           echo "LIBS=${LIBS[@]}" >> $GITHUB_ENV
           (IFS=,; printf 'The following workspaces will be published: [%s]\n' "${LIBS[*]}")
 
-      - name: Configuring git
-        run: |
-          git config user.name '${{ github.actor }}'
-          git config user.email '${{ github.actor }}@users.noreply.github.com'
-
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
           cache: yarn
           node-version: ${{ vars.NODEJS_VERSION }}
@@ -71,9 +70,8 @@ jobs:
 
       - name: Publish workspaces to NPM
         env:
-          NPM_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
         run: |
-          yarn config set npmScopes.openshift-assisted.npmAuthToken $NPM_AUTH_TOKEN
           for LIB in $(echo ${LIBS}); do
             printf 'Publishing @openshift-assisted/%s\n' "${LIB}"
             yarn workspace @openshift-assisted/${LIB} npm publish