ci: Switch release action to OIDC

manthey · manthey · commit b3176353e97d · 2025-10-29T15:54:53.000-04:00
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -13,6 +13,9 @@ on:
   schedule:
     - cron: "0 7 * * 1"
 
+permissions:
+  id-token: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -106,13 +109,15 @@ jobs:
         publish_dir: website/public
         force_orphan: true
   deploy-npm:
+    if: ${{ github.ref == 'refs/heads/master' }}
     needs: build
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v5
     - uses: actions/setup-node@v6
       with:
         node-version: 'lts/*'
+        registry-url: 'https://registry.npmjs.org'
     - run: sudo apt-get update
     - run: sudo apt-get install --yes --no-install-recommends optipng imagemagick build-essential libcairo2-dev libpango1.0-dev libjpeg-dev libgif-dev librsvg2-dev liblzma-dev
     - run: npm ci
@@ -126,5 +131,4 @@ jobs:
     - name: Release
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       run: npx semantic-release
