build: update release action to use oidc

fadi-george · fadi-george · commit 69b3ccc6fe73 · 2025-12-26T11:33:49.000-08:00
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -1,8 +1,10 @@
 name: 'CodeQL'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
-  push:
-    branches: ['main']
   pull_request:
     branches: ['main']
   schedule:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -12,24 +12,24 @@ jobs:
       contents: write
       issues: write
       pull-requests: write
+      id-token: write # to enable use of OIDC for trusted publishing and npm provenance
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          token: ${{ secrets.GH_WEB_SHIM_PUSH_TOKEN }}
+
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 'lts/*'
-          registry-url: 'https://registry.npmjs.org'
+
       - name: Install dependencies
         run: npm ci
+
       - name: Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_WEB_SHIM_PUSH_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_WEB_SHIM_PUSH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_WEB_SHIM_PUSH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_PUSH_TOKEN }}
         run: |
           npx -p semantic-release \
               -p @semantic-release/changelog \
