From 12f618a2f072e95351b36556a641c40517022aac Mon Sep 17 00:00:00 2001
From: Jeppe Reinhold <jeppe@reinhold.is>
Date: Tue, 6 Jan 2026 16:24:45 +0100
Subject: [PATCH 1/2] use npm trusted publishing for releases

---
 .github/workflows/release.yml | 29 ++++++++++++++++++++++-------
 1 file changed, 22 insertions(+), 7 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 5ed3df2..826ded6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -2,6 +2,11 @@ name: Release
 
 on: [push]
 
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -9,23 +14,33 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
+      - name: "Set git user"
+        run: |
+          git config --global user.name 'storybook-bot'
+          git config --global user.email '32066757+storybook-bot@users.noreply.github.com'
+
       - name: Prepare repository
         run: git fetch --unshallow --tags
 
-      - name: Use Node.js 18.x
-        uses: actions/setup-node@v3
+      - name: Use Node.js
+        uses: actions/setup-node@v4
         with:
-          node-version: 18.x
+          node-version: 24.x
 
       - name: Enable Corepack
         run: corepack enable
-  
-      - name: Install dependencies
-        uses: bahmutov/npm-install@v1
+
+      - name: Use Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24.x
+          cache: "yarn"
+
+      - name: Install Node.js dependencies
+        run: yarn install --immutable
 
       - name: Create Release
         env:
           GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           yarn release

From 0f58d593558a8793079c44e19fb619cb4237f46b Mon Sep 17 00:00:00 2001
From: Jeppe Reinhold <jeppe@reinhold.is>
Date: Tue, 6 Jan 2026 16:30:28 +0100
Subject: [PATCH 2/2] use github app bot

---
 .github/workflows/release.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 826ded6..8891209 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -14,10 +14,12 @@ jobs:
     steps:
       - uses: actions/checkout@v4
 
-      - name: "Set git user"
-        run: |
-          git config --global user.name 'storybook-bot'
-          git config --global user.email '32066757+storybook-bot@users.noreply.github.com'
+      # see https://docs.github.com/en/apps/creating-github-apps/authenticating-with-a-github-app/making-authenticated-api-requests-with-a-github-app-in-a-github-actions-workflow
+      - uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
+        id: app-token
+        with:
+          app-id: ${{ vars.STORYBOOK_BOT_APP_ID }}
+          private-key: ${{ secrets.STORYBOOK_BOT_APP_PRIVATE_KEY }}
 
       - name: Prepare repository
         run: git fetch --unshallow --tags
@@ -41,6 +43,6 @@ jobs:
 
       - name: Create Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         run: |
           yarn release