From 4fd5360e57f5b0bd08a89c6d22986a9be3936158 Mon Sep 17 00:00:00 2001
From: Suyog Sonwalkar <flux159@gmail.com>
Date: Sat, 6 Dec 2025 11:50:40 -0800
Subject: [PATCH] Updating deployment to use npm trusted publishers

Summary:

Test Plan:
---
 .github/workflows/{deploy.yml => cd.yml} | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)
 rename .github/workflows/{deploy.yml => cd.yml} (80%)

diff --git a/.github/workflows/deploy.yml b/.github/workflows/cd.yml
similarity index 80%
rename from .github/workflows/deploy.yml
rename to .github/workflows/cd.yml
index 91241f2..471668d 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/cd.yml
@@ -5,6 +5,10 @@ on:
     tags:
       - v*
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   deploy:
     runs-on: ubuntu-latest
@@ -59,10 +63,16 @@ jobs:
           git push origin main
           git push origin ${{ steps.version.outputs.current-version }}
 
+      - name: Setup Node.js for NPM publish
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Update npm for OIDC support
+        run: npm install -g npm@latest
+
       - name: Publish to NPM
-        run: |
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" > ~/.npmrc
-          echo "//registry.npmjs.org/:always-auth=true" >> ~/.npmrc
-          npm publish
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
+        run: npm publish --provenance