From 3d7c4fe844170c88488f5f4b8a469e33786e3d94 Mon Sep 17 00:00:00 2001
From: omer-topal <omertopal46@gmail.com>
Date: Fri, 12 Jun 2026 14:34:32 +0300
Subject: [PATCH] change publish workflow to trusted publishing

---
 .github/workflows/publish.yml | 14 +++++++++-----
 RELEASE.md                    | 26 +++++++++++++++-----------
 2 files changed, 24 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8024bae..4478f86 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,10 @@ on:
     types:
       - "published"
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   publish:
     name: Publish to NPM
@@ -19,10 +23,12 @@ jobs:
       
       - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          cache-dependency-path: ./yarn.lock
-          cache: "yarn"
-          node-version: 20
+          node-version: 22.14.0
           registry-url: "https://registry.npmjs.org"
+          package-manager-cache: false
+
+      - name: Install npm with trusted publishing support
+        run: npm install --global npm@^11.5.1
       
       - name: Install dependencies
         run: yarn install --frozen-lockfile --non-interactive
@@ -43,5 +49,3 @@ jobs:
       
       - name: Publish to NPM
         run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/RELEASE.md b/RELEASE.md
index da222e3..cc56828 100644
--- a/RELEASE.md
+++ b/RELEASE.md
@@ -86,14 +86,18 @@ yarn buf:generate
 
 ## Configuration
 
-### Required Secrets
+### Trusted Publisher
 
-Set in GitHub repository settings:
+Publishing uses npm trusted publishing, so no long-lived npm publish token is required.
 
-- **NPM_TOKEN**: Authentication token for publishing to NPM
-  - Create at [npmjs.com](https://www.npmjs.com/) → Access Tokens
-  - Type: **Automation**
-  - Permission: **Read and Write**
+Configure the trusted publisher in the npm package settings:
+
+- **Publisher**: GitHub Actions
+- **Organization or user**: `Permify`
+- **Repository**: `permify-node`
+- **Workflow filename**: `publish.yml`
+- **Allowed actions**: `npm publish`
+- **Environment name**: leave empty unless `.github/workflows/publish.yml` is updated to use a matching GitHub environment
 
 ## Workflows
 
@@ -103,11 +107,11 @@ Set in GitHub repository settings:
 
 **Steps**:
 1. Checkout code
-2. Setup Node.js 20
+2. Setup Node.js with npm trusted publishing support
 3. Install dependencies
 4. Build (`yarn build`)
 5. Update version
-6. Publish to NPM
+6. Publish to NPM using GitHub OIDC
 
 ### 2. Proto Update Workflow (`.github/workflows/protos.yml`)
 
@@ -129,7 +133,8 @@ yarn build
 
 ### Publish Failed
 
-- Check if `NPM_TOKEN` is valid
+- Verify the npm trusted publisher settings match `Permify/permify-node` and `publish.yml`
+- Check that the workflow has `id-token: write` permission
 - Verify version doesn't already exist on NPM
 - Check [Actions logs](https://github.com/Permify/permify-node/actions)
 
@@ -159,11 +164,10 @@ Before releasing:
 - [ ] Version number follows semantic versioning
 - [ ] Release notes prepared
 - [ ] Breaking changes documented (if any)
-- [ ] NPM_TOKEN is valid
+- [ ] npm trusted publisher is configured for `.github/workflows/publish.yml`
 
 ## Links
 
 - [NPM Package](https://www.npmjs.com/package/@permify/permify-node)
 - [GitHub Repository](https://github.com/Permify/permify-node)
 - [Buf Schema Registry](https://buf.build/permifyco/permify)
-