Add trusted publishing using OIDC

ddaspit · ddaspit · commit 1de2ec3b1ee7 · 2025-11-18T13:37:33.000-05:00
diff --git a/.github/workflows/ci-test-publish.yml b/.github/workflows/ci-test-publish.yml
@@ -11,23 +11,22 @@ on:
     tags:
       - "v*"
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v4
-      - name: Setup Node.js
-        uses: actions/setup-node@v4
-        with:
-          node-version: 20
+      - uses: actions/checkout@v5
+      - uses: volta-cli/action@v4
       - run: npm ci
       - run: npm run lint
       - run: npm run prettier:ci
       - run: npm run build
       - run: npm run test:ci
       - name: npm publish
         if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/v') && contains(github.ref, '.')
-        uses: JS-DevTools/npm-publish@v3
-        with:
-          token: ${{ secrets.NPM_TOKEN }}
+        uses: JS-DevTools/npm-publish@v4
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -106,5 +106,9 @@
     "LICENSE",
     "README.md",
     "dist/**/*"
-  ]
+  ],
+  "volta": {
+    "node": "24.11.1",
+    "npm": "11.6.2"
+  }
 }
