From 7c79649bc8e255b38f7a678c133a79165282115c Mon Sep 17 00:00:00 2001
From: sjsjsj1246 <sjsjsj1246@gmail.com>
Date: Wed, 25 Mar 2026 17:03:36 +0900
Subject: [PATCH] =?UTF-8?q?[-]:=20trusted=20publishing=20=EC=A0=84?=
 =?UTF-8?q?=ED=99=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .github/workflows/release.yml |  6 +++---
 docs/releasing.md             | 11 ++++++++++-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b89b431..35cf747 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -11,6 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     permissions:
       contents: write
+      id-token: write
       pull-requests: write
 
     steps:
@@ -24,10 +25,10 @@ jobs:
         with:
           version: 10.12.4
 
-      - name: Use Node.js 20
+      - name: Use Node.js 22
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 22
           cache: pnpm
           registry-url: https://registry.npmjs.org
 
@@ -43,4 +44,3 @@ jobs:
           commit: "[-]: version packages"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/docs/releasing.md b/docs/releasing.md
index 7725464..f116b9a 100644
--- a/docs/releasing.md
+++ b/docs/releasing.md
@@ -4,7 +4,15 @@ This repository now uses [Changesets](https://github.com/changesets/changesets)
 
 ## One-time setup
 
-The GitHub release workflow expects an `NPM_TOKEN` repository secret with publish access to the `react-tutorial-overlay` npm package.
+This repository uses npm Trusted Publishing for GitHub Actions.
+
+Set up once on npm:
+
+1. Open the `react-tutorial-overlay` package settings on npm.
+2. Add a Trusted Publisher for the `sjsjsj1246/react-tutorial-overlay` GitHub repository.
+3. Set the workflow filename to `release.yml`.
+
+After that, the GitHub release workflow can publish without storing a long-lived `NPM_TOKEN` secret.
 
 ## Everyday workflow
 
@@ -65,6 +73,7 @@ On pushes to `main` or manual dispatch, `.github/workflows/release.yml` runs `ch
 - If unreleased changesets exist, it opens or updates a release PR.
 - If the release PR has already been merged and version files are on `main`, it runs `pnpm release`.
 - `pnpm release` verifies tests, docs lint/build, size limits, and then runs `changeset publish`.
+- Publishing uses GitHub Actions OIDC via npm Trusted Publishing instead of an `NPM_TOKEN` secret.
 
 ## Notes for this repo