From a94ab9e2dfba38fd42fa59c95715932764cc7965 Mon Sep 17 00:00:00 2001
From: Sankhesh Jhaveri <sankhesh.jhaveri@kitware.com>
Date: Tue, 19 May 2026 11:12:20 -0400
Subject: [PATCH 1/2] chore: add semantic-release config for npm OIDC
 publishing

---
 package.json | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 87e2fdc..65e21b7 100644
--- a/package.json
+++ b/package.json
@@ -82,5 +82,19 @@
   },
   "files": [
     "dist"
-  ]
+  ],
+  "release": {
+    "branches": [
+      "master"
+    ],
+    "plugins": [
+      "@semantic-release/commit-analyzer",
+      "@semantic-release/release-notes-generator",
+      "@semantic-release/npm",
+      "@semantic-release/github"
+    ]
+  },
+  "publishConfig": {
+    "access": "public"
+  }
 }

From 6c50ff5d13377a3c0ab6cdad5ac26d255d3ac3f3 Mon Sep 17 00:00:00 2001
From: Sankhesh Jhaveri <sankhesh.jhaveri@kitware.com>
Date: Tue, 19 May 2026 11:13:02 -0400
Subject: [PATCH 2/2] ci: switch to OIDC trusted publishing for npm

---
 .github/workflows/publish.yaml | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index b535d2a..197683a 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -3,19 +3,25 @@ on:
   push:
     branches:
       - master
-      - beta
 
 jobs:
   publish:
     name: Publish
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
+    environment:
+      name: npm
     steps:
       - name: Checkout
         uses: actions/checkout@v2
         with:
           fetch-depth: 0
       - name: Setup node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
           node-version: 24
       - name: Install dependencies
@@ -26,8 +32,9 @@ jobs:
         run: npm run test
       - name: Release
         env:
-          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          # No need to set NPM_TOKEN because of OIDC
+          NPM_CONFIG_PROVENANCE: true
         run: |
           git config --global user.name "Github Actions"
           git config --global user.email "sebastien.jourdain@kitware.com"