From fab9fd12b81d94c7c8f04bcf929855706c825a6b Mon Sep 17 00:00:00 2001
From: ishabi <ilyasshabi94@gmail.com>
Date: Wed, 1 Apr 2026 11:10:11 +0200
Subject: [PATCH 1/2] use trusted publishing for dev releases

---
 .github/workflows/build.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 79acbe19..ad5f13b1 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -48,13 +48,14 @@ jobs:
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main'
     environment: npm
-    env:
-      NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+    permissions:
+      id-token: write
     steps:
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: actions/download-artifact@v4
       - uses: actions/setup-node@v3
         with:
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
       - run: npm install
       - id: pkg

From 647c6aabad29dc2b3181a9df676d3121909b1149 Mon Sep 17 00:00:00 2001
From: ishabi <ilyasshabi94@gmail.com>
Date: Wed, 1 Apr 2026 11:35:03 +0200
Subject: [PATCH 2/2] add contents read for dev publish

---
 .github/workflows/build.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index ad5f13b1..a205eb13 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -49,7 +49,8 @@ jobs:
     if: github.ref == 'refs/heads/main'
     environment: npm
     permissions:
-      id-token: write
+      id-token: write # Required for OIDC
+      contents: read
     steps:
       - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
       - uses: actions/download-artifact@v4