From dd42d514efc3b6e6f1031f092dcbd934f997a997 Mon Sep 17 00:00:00 2001
From: seanlandsman <sean@thelandsmans.com>
Date: Wed, 4 Mar 2026 07:20:34 +0000
Subject: [PATCH 1/2] Update release process

---
 .github/workflows/build.yml | 22 ++++++++++++++++++----
 .gitignore                  |  3 ++-
 2 files changed, 20 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index a5eb4770..b9a46da5 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -6,7 +6,12 @@ on:
       - main
     types: [closed]
 
+env:
+  CI: true
+  DEPLOYMENT_APP_ID: 957224
+
 permissions:
+  id-token: write  # Required for OIDC
   contents: read
 
 jobs:
@@ -16,6 +21,12 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.pull_request.merged
     steps:
+      - name: Authenticate with GitHub App
+        uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ env.DEPLOYMENT_APP_ID }}
+          private-key: ${{ secrets.DEPLOYMENT_APP_PRIVATE_KEY }}
       - name: Checkout Git repository
         uses: actions/checkout@v4
       - name: Install pnpm
@@ -40,14 +51,17 @@ jobs:
         id: create_release
         uses: actions/create-release@latest
         env:
-          GITHUB_TOKEN: ${{ github.token }}
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
         with:
           commitish: ${{ github.ref }}
           tag_name: ${{ steps.version.outputs.VERSION }}
           release_name: ${{ steps.version.outputs.VERSION }}
           draft: false
           prerelease: false
+      # Ensure npm 11.5.1 or later is installed - required for OIDC
+      - name: Update npm
+        run: npm install -g npm@latest
       - name: Publish package
-        run: pnpm run publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: |
+          cd packages/cli
+          npm run publish
diff --git a/.gitignore b/.gitignore
index eb92d2b4..1fadb815 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,4 +4,5 @@
 /packages/*/vitest.config.mts.timestamp-*.mjs
 /coverage/
 /docs/
-**/_temp/**/*
\ No newline at end of file
+**/_temp/**/*
+.idea

From 4058e4c71e039e17646140f16a9800cc9f7726fc Mon Sep 17 00:00:00 2001
From: seanlandsman <sean@thelandsmans.com>
Date: Wed, 4 Mar 2026 07:25:54 +0000
Subject: [PATCH 2/2] Update releaes process

---
 .github/workflows/build.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index b9a46da5..a7a3cae0 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -19,6 +19,7 @@ jobs:
     permissions:
       contents: write
     runs-on: ubuntu-latest
+    environment: production
     if: github.event.pull_request.merged
     steps:
       - name: Authenticate with GitHub App