From 4439a6bd5801acbfb9a995e10829ba425c3d9060 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rafa=C5=82=20Rzepecki?= <divided.mind@gmail.com>
Date: Thu, 26 Feb 2026 16:23:05 +0100
Subject: [PATCH] chore: migrate to npm trusted publishing and GitHub App token

- Replace PAT with GitHub App token (RELEASE_BOT_APP_ID/PRIVATE_KEY) in
  release job; app token events trigger other workflows unlike GITHUB_TOKEN
- Remove npm publish from semantic-release; add separate publish.yml
  workflow triggered on version tags using OIDC (no NPM_TOKEN needed)
- Drop id-token: write and write permissions from release job (governed
  by app installation, not workflow permissions block)
- Add windows-test to release job dependencies
- Remove @semantic-release/npm plugin from .releaserc.yaml

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/ci.yml      | 21 ++++++++++-----------
 .github/workflows/publish.yml | 20 ++++++++++++++++++++
 .releaserc.yaml               |  1 -
 3 files changed, 30 insertions(+), 12 deletions(-)
 create mode 100644 .github/workflows/publish.yml

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f5f806b4..516cc3d4 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -58,22 +58,21 @@ jobs:
 
   release:
     runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      issues: write
-      pull-requests: write
-      id-token: write
+    permissions: {}
     if: github.ref_name == 'main'
-    needs: [lint, test]
+    needs: [lint, test, windows-test]
     steps:
+      - uses: actions/create-github-app-token@v1
+        id: app-token
+        with:
+          app-id: ${{ secrets.RELEASE_BOT_APP_ID }}
+          private-key: ${{ secrets.RELEASE_BOT_PRIVATE_KEY }}
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
-          token: ${{ secrets.SEMANTIC_RELEASE_BOT_GITHUB_TOKEN }}
+          token: ${{ steps.app-token.outputs.token }}
       - uses: actions/setup-node@v4
       - run: yarn
-      - run: yarn prepack
       - run: yarn semantic-release
-    env:
-      NPM_TOKEN: ${{ secrets.SEMANTIC_RELEASE_BOT_NPM_TOKEN }}
-      GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_BOT_GITHUB_TOKEN }}
+        env:
+          GITHUB_TOKEN: ${{ steps.app-token.outputs.token }}
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
new file mode 100644
index 00000000..98a8809c
--- /dev/null
+++ b/.github/workflows/publish.yml
@@ -0,0 +1,20 @@
+name: Publish to npm
+
+on:
+  push:
+    tags:
+      - 'v[0-9]*'
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          registry-url: 'https://registry.npmjs.org'
+      - run: yarn
+      - run: npm publish --provenance
diff --git a/.releaserc.yaml b/.releaserc.yaml
index 91cbbf84..490e71a0 100644
--- a/.releaserc.yaml
+++ b/.releaserc.yaml
@@ -8,6 +8,5 @@ plugins:
   - "@semantic-release/commit-analyzer"
   - "@semantic-release/release-notes-generator"
   - "@semantic-release/changelog"
-  - "@semantic-release/npm"
   - "@semantic-release/git"
   - "@semantic-release/github"