From be37ddb3127188cab1419ed29f2d5c533ac194f0 Mon Sep 17 00:00:00 2001
From: Kevin Cui <bh@bugs.cc>
Date: Tue, 6 Jan 2026 12:54:59 +0800
Subject: [PATCH] ci(release): switch npm publish to provenance-based auth

Add explicit permissions for OIDC token and contents access.
Remove NODE_AUTH_TOKEN in favor of npm provenance publishing,
which provides stronger supply chain security guarantees.

Signed-off-by: Kevin Cui <bh@bugs.cc>
---
 .github/workflows/release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 00970ee..81f94ad 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,6 +4,10 @@ on:
     tags:
       - "v*.*.*"
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   release:
     runs-on: ubuntu-latest
@@ -47,5 +51,3 @@ jobs:
       - name: Publish
         run: |
           pnpm publish --access public --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}