From 75c7640bf7b0be9b552285db825401eae8d1a9a9 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 4 Mar 2026 10:06:32 +0100
Subject: [PATCH 1/6] chore: test trusted publishing

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .github/workflows/release.yml | 36 +++++++++++++----------------------
 1 file changed, 13 insertions(+), 23 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 2700bb796..bfea06b65 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -35,7 +35,7 @@ env:
   REPORTS_DIR: CI_reports
   PACKED_DIR: CI_packed
   PACKED_ARTIFACT: packed
-  NODE_ACTIVE_LTS: "24"
+  NODE_ACTIVE_LTS: "24"  # https://nodejs.org/en/about/releases/
 
 jobs:
   bump:
@@ -57,22 +57,20 @@ jobs:
         run: |
           set -eux
           git config --local user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-          git config --local user.name  "${GITHUB_ACTOR}"
+          git config --local user.name "${GITHUB_ACTOR}"
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
         uses: actions/setup-node@v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
-      - name: update npm
-        run: npm install -g npm@latest
       ## ! no npm build at the moment
       - name: bump VERSION
         id: bump
         run: |
           set -eux
           COMMIT_SIG="Signed-off-by: $(git config user.name) <$(git config user.email)>"
-          VERSION="$( npm version "$NPMV_NEWVERSION" --message "$NPMV_MESSAGE"$'\n\n'"$COMMIT_SIG" --preid "$NPMV_PREID" )"
+          VERSION="$(npm version "$NPMV_NEWVERSION" --message "$NPMV_MESSAGE"$'\n\n'"$COMMIT_SIG" --preid "$NPMV_PREID")"
           echo "::debug::new version = $VERSION"
           VERSION_PLAIN="${VERSION:1}" # remove 'v' prefix
           echo "::debug::plain version = $VERSION_PLAIN"
@@ -85,17 +83,17 @@ jobs:
       - name: git push back
         run: git push --follow-tags
 
-  publish-package:
+  publish-NPMJS:
     needs:
       - "bump"
-    name: publish package
+    name: publish NPMJS
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
       id-token: write  # Enables provenance signing via OIDC
       packages: write  # Allows writing to organization packages
     env:
-      PACKAGE_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }}
+      NPMJS_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }}
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
@@ -108,12 +106,10 @@ jobs:
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
-      - name: update npm
-        run: npm install -g npm@latest
       - name: setup project
         run: |
           npm install --ignore-scripts --include=optional --loglevel=silly
-      - name: setup tools
+      - name: install tools
         run: |
           echo "::group::install docs-gen deps"
           npm run -- dev-setup:tools:docs-gen   --ignore-scripts --loglevel=silly
@@ -125,20 +121,14 @@ jobs:
           npm run -- dev-setup:tools:test-dependencies --ignore-scripts --loglevel=silly
           echo "::endgroup::"
       # no explicit npm build. if a build is required, it should be configured as prepublish/prepublishOnly script of npm.
-      - name: login to registries
-        run: |
-          npm config set "//registry.npmjs.org/:_authToken=$NPM_TOKEN"
-          npm config set "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      - name: publish to NPMJS as "${{ env.PACKAGE_RELEASE_TAG }}"
+      - name: publish to NPMJS as "${{ env.NPMJS_RELEASE_TAG }}"
         run: >
           npm publish
-          --@cyclonedx:registry='https://registry.npmjs.org'
           --provenance
-          --access public 
-          --tag "$PACKAGE_RELEASE_TAG"
+          --access public
+          --tag "$NPMJS_RELEASE_TAG"
+      - name: login to GH package registries
+        run: npm config set "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN"
       - name: publish to GitHub as "${{ env.PACKAGE_RELEASE_TAG }}"
         run: >
           npm publish
@@ -161,7 +151,7 @@ jobs:
   release-GH:
     needs:
       - "bump"
-      - "publish-package"
+      - "publish-NPMJS"
     name: publish GitHub
     runs-on: ubuntu-latest
     timeout-minutes: 30

From 99ff0a771e31bad0f353145d743f972f731b2532 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 4 Mar 2026 10:08:21 +0100
Subject: [PATCH 2/6] chore: test trusted publishing

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .github/workflows/release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bfea06b65..ad6bb566e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -83,10 +83,10 @@ jobs:
       - name: git push back
         run: git push --follow-tags
 
-  publish-NPMJS:
+  publish-NPMJS-GH:
     needs:
       - "bump"
-    name: publish NPMJS
+    name: publish NPMJS & GH
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
@@ -151,7 +151,7 @@ jobs:
   release-GH:
     needs:
       - "bump"
-      - "publish-NPMJS"
+      - "publish-NPMJS-GH"
     name: publish GitHub
     runs-on: ubuntu-latest
     timeout-minutes: 30

From bd68c252d9317146eccbf49653911856354276c0 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 4 Mar 2026 10:08:57 +0100
Subject: [PATCH 3/6] chore: test trusted publishing

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .github/workflows/release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index ad6bb566e..98f5c92ba 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -93,7 +93,7 @@ jobs:
       id-token: write  # Enables provenance signing via OIDC
       packages: write  # Allows writing to organization packages
     env:
-      NPMJS_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }}
+      PACKAGE_RELEASE_TAG: ${{ github.event.inputs.prerelease == 'true' && 'unstable-prerelease' || 'latest' }}
     steps:
       - name: Checkout code
         # see https://github.com/actions/checkout
@@ -121,12 +121,12 @@ jobs:
           npm run -- dev-setup:tools:test-dependencies --ignore-scripts --loglevel=silly
           echo "::endgroup::"
       # no explicit npm build. if a build is required, it should be configured as prepublish/prepublishOnly script of npm.
-      - name: publish to NPMJS as "${{ env.NPMJS_RELEASE_TAG }}"
+      - name: publish to NPMJS as "${{ env.PACKAGE_RELEASE_TAG }}"
         run: >
           npm publish
           --provenance
           --access public
-          --tag "$NPMJS_RELEASE_TAG"
+          --tag "$PACKAGE_RELEASE_TAG"
       - name: login to GH package registries
         run: npm config set "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN"
       - name: publish to GitHub as "${{ env.PACKAGE_RELEASE_TAG }}"

From 0a540bf45d51bf02d511c4aab2286a1973dac263 Mon Sep 17 00:00:00 2001
From: jkowalleck <jkowalleck@users.noreply.github.com>
Date: Wed, 4 Mar 2026 09:10:46 +0000
Subject: [PATCH 4/6] 10.0.1-alpha.0

Signed-off-by: jkowalleck <jkowalleck@users.noreply.github.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 47c0a8bc4..11f19b743 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "10.0.0",
+  "version": "10.0.1-alpha.0",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [

From 9b0e69a7896ae7f7f21e83fdde3030d708bc15a1 Mon Sep 17 00:00:00 2001
From: Jan Kowalleck <jan.kowalleck@gmail.com>
Date: Wed, 4 Mar 2026 10:17:28 +0100
Subject: [PATCH 5/6] chore: test trusted publishing

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 98f5c92ba..faab494b6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -129,6 +129,8 @@ jobs:
           --tag "$PACKAGE_RELEASE_TAG"
       - name: login to GH package registries
         run: npm config set "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: publish to GitHub as "${{ env.PACKAGE_RELEASE_TAG }}"
         run: >
           npm publish

From 901416f1a940d830758adccd9981a016dfa0d234 Mon Sep 17 00:00:00 2001
From: jkowalleck <jkowalleck@users.noreply.github.com>
Date: Wed, 4 Mar 2026 09:31:39 +0000
Subject: [PATCH 6/6] 10.0.1-alpha.2

Signed-off-by: jkowalleck <jkowalleck@users.noreply.github.com>
---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index ad3b137fb..1f70cf661 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "10.0.1-alpha.1",
+  "version": "10.0.1-alpha.2",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [