ci(release): switch npm publish to provenance-based auth (#209)

BlackHole1 · web-flow · commit 2d6535189235 · 2026-01-06T12:59:23.000+08:00
Add explicit permissions for OIDC token and contents access.
Remove NODE_AUTH_TOKEN in favor of npm provenance publishing,
which provides stronger supply chain security guarantees.

Signed-off-by: Kevin Cui &lt;bh@bugs.cc&gt;
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -4,6 +4,10 @@ on:
     tags:
       - "v*.*.*"
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -47,5 +51,3 @@ jobs:
       - name: Publish
         run: |
           pnpm publish --access public --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
