From b93c836c7f242a430e545f0950e9c64cad4068e1 Mon Sep 17 00:00:00 2001
From: OneSignal <noreply@onesignal.com>
Date: Wed, 24 Dec 2025 01:15:39 +0000
Subject: [PATCH] chore: sync with web-shim-codegen v3.0.7

---
 .github/workflows/codeql.yml  |  6 ++++--
 .github/workflows/release.yml | 14 +++++++-------
 2 files changed, 11 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index ab7c18e4..df2a86b3 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -1,8 +1,10 @@
 name: 'CodeQL'
 
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 on:
-  push:
-    branches: ['main']
   pull_request:
     branches: ['main']
   schedule:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7fb5cbb7..d772ecd5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -12,24 +12,24 @@ jobs:
       contents: write
       issues: write
       pull-requests: write
+      id-token: write # to enable use of OIDC for trusted publishing and npm provenance
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
-          token: ${{ secrets.GH_WEB_SHIM_PUSH_TOKEN }}
+
       - name: Setup Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
           node-version: 'lts/*'
-          registry-url: 'https://registry.npmjs.org'
+
       - name: Install dependencies
         run: npm ci
+
       - name: Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_WEB_SHIM_PUSH_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_WEB_SHIM_PUSH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_WEB_SHIM_PUSH_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_PUSH_TOKEN }}
         run: |
           npx -p semantic-release \
               -p @semantic-release/changelog \