ci(release): add permissions for OIDC and npm provenance (#185)

gr2m · web-flow · commit 49da025cab6c · 2026-03-21T14:35:56.000-07:00
Add permissions for OIDC, contents, pull-requests, and issues. This enables [npm provenance](https://docs.npmjs.com/generating-provenance-statements) via trusted publishing — the `NPM_TOKEN` secret is no longer needed once the npm package is configured to trust GitHub Actions as a publisher. Also updates `actions/checkout` and `actions/setup-node` to v4.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,18 +6,23 @@ name: Release
       - main
       - next
       - beta
+permissions:
+  id-token: write # to enable use of OIDC for trusted publishing and npm provenance
+  contents: write # tags and releases
+  pull-requests: write # comments
+  issues: write # comments
+
 jobs:
   release:
     name: release
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
           node-version: lts/*
           cache: npm
       - run: npm ci
       - run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
