From 1e04fca8814bd7a19f8f46bfacb10068d8e8ac44 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Tue, 6 Jan 2026 10:02:31 +0000 Subject: [PATCH 1/2] chore: delete `NPM_TOKEN` NPM has deleted a lot of token and introduced a new 90 day maximum expiry window. It is encouraging the use of [trusted publishing](https://docs.npmjs.com/trusted-publishers) as replacement. I have configured trusted publishing on this repo in npm; so it is safe for the npm tokens to be deleted. --- .github/workflows/ci.yml | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 7d899cf3..6fc296ab 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -62,7 +62,7 @@ jobs: run: gh pr merge --auto --merge "$PR_URL" # Use Github CLI to merge automatically the PR env: PR_URL: ${{github.event.pull_request.html_url}} - GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} npm-publish-build: needs: build @@ -82,7 +82,6 @@ jobs: - uses: JS-DevTools/npm-publish@v4.1.2 if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' with: - token: ${{ secrets.NPM_TOKEN }} tag: ${{ env.GITHUB_REF_SLUG }} npm-publish-latest: @@ -101,5 +100,4 @@ jobs: - uses: JS-DevTools/npm-publish@v4.1.2 if: github.actor != 'dependabot[bot]' && github.actor != 'dependabot-preview[bot]' with: - token: ${{ secrets.NPM_TOKEN }} tag: latest From 9797a38d4b8f4f40e73031bdfe77be6121be7ec4 Mon Sep 17 00:00:00 2001 From: Jesse Wright <63333554+jeswr@users.noreply.github.com> Date: Tue, 6 Jan 2026 13:35:53 +0000 Subject: [PATCH 2/2] Enable `id-token: write` --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 6fc296ab..e4196585 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -2,6 +2,8 @@ name: CI permissions: contents: write pull-requests: write + id-token: write + on: push: branches: