From 7a0dfeddd1b14c296c2c661bd7930526ca5d9d2d Mon Sep 17 00:00:00 2001
From: Kofoworola Ogunleye <kay16th@yahoo.com>
Date: Fri, 10 Oct 2025 11:27:46 +0100
Subject: [PATCH] feat: use OIDC to connect to NPM

This approach eliminates the security risks associated with long-lived write tokens, which can be compromised, accidentally exposed in logs, or require manual rotation. Instead, each publish uses short-lived, cryptographically-signed tokens that are specific to the workflow and cannot be extracted or reused.

this also adds id-token: write permission, which allows GitHub Actions to generate OIDC tokens
---
 .github/workflows/create_semantic_release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/create_semantic_release.yml b/.github/workflows/create_semantic_release.yml
index 8a2b610..b7b697f 100644
--- a/.github/workflows/create_semantic_release.yml
+++ b/.github/workflows/create_semantic_release.yml
@@ -17,6 +17,8 @@ jobs:
   semantic_release:
     name: semantic release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v3
 
@@ -44,4 +46,3 @@ jobs:
           # workflows, if you need that see
           # https://github.com/semantic-release/github#github-authentication
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}