From fa7d0b420ec6be9688f83d148c39ed9912ff8adc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Romuald=20Cz=C5=82onkowski?=
 <romualdczlonkowski@MacBook-Pro-Romuald.local>
Date: Fri, 12 Dec 2025 13:24:25 +0100
Subject: [PATCH] ci: switch NPM publishing to Trusted Publishing (OIDC)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace static NPM_TOKEN with OIDC-based authentication for improved
security. This uses NPM's Trusted Publishing feature which:
- Eliminates need for long-lived tokens
- Provides provenance attestation
- Is the recommended approach by npm

Requires configuring Trusted Publishing in npm package settings:
- Repository owner: czlonkowski
- Repository name: n8n-mcp
- Workflow filename: release.yml

Conceived by Romuald Członkowski - www.aiadvisors.pl/en

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .github/workflows/release.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index cc0d643..a57fd2c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -308,6 +308,9 @@ jobs:
     runs-on: ubuntu-latest
     needs: [detect-version-change, build-and-verify, create-release]
     if: needs.detect-version-change.outputs.version-changed == 'true'
+    permissions:
+      contents: read
+      id-token: write  # Required for NPM Trusted Publishing (OIDC)
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -393,9 +396,7 @@ jobs:
           max_attempts: 3
           command: |
             cd npm-publish-temp
-            npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+            npm publish --access public --provenance
       
       - name: Clean up
         if: always()