From aeef37d1374f41ae723c9b731c5485eb50f48c48 Mon Sep 17 00:00:00 2001
From: Jacob Bell <228905018+OS-jacobbell@users.noreply.github.com>
Date: Thu, 5 Mar 2026 14:19:15 -0700
Subject: [PATCH 1/2] chore(workflows): refactor github workflows for new npm
 auth

---
 .../{dev-build.yml => dev-release.yml}        |  4 +--
 .../{release.yml => production-release.yml}   | 22 ++++---------
 .github/workflows/release-orchestrator.yml    | 33 +++++++++++++++++++
 .../workflows/{build.yml => validation.yml}   |  2 +-
 4 files changed, 42 insertions(+), 19 deletions(-)
 rename .github/workflows/{dev-build.yml => dev-release.yml} (96%)
 rename .github/workflows/{release.yml => production-release.yml} (56%)
 create mode 100644 .github/workflows/release-orchestrator.yml
 rename .github/workflows/{build.yml => validation.yml} (98%)

diff --git a/.github/workflows/dev-build.yml b/.github/workflows/dev-release.yml
similarity index 96%
rename from .github/workflows/dev-build.yml
rename to .github/workflows/dev-release.yml
index e46ba9aa7..1f325bcf9 100644
--- a/.github/workflows/dev-build.yml
+++ b/.github/workflows/dev-release.yml
@@ -1,7 +1,7 @@
-name: 'Ionicons Dev Build'
+name: 'Dev Release'
 
 on:
-  workflow_dispatch:
+  workflow_call:
 
 jobs:
   create-dev-hash:
diff --git a/.github/workflows/release.yml b/.github/workflows/production-release.yml
similarity index 56%
rename from .github/workflows/release.yml
rename to .github/workflows/production-release.yml
index 15401bd66..8bde74962 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/production-release.yml
@@ -1,22 +1,12 @@
-name: 'Ionicons Production Release'
+name: 'Production Release'
 
 on:
-  workflow_dispatch:
+  workflow_call:
     inputs:
       version:
-        required: true
-        type: choice
-        description: Which version should be published?
-        options:
-          - patch
-          - minor
-          - major
-      tag:
-        required: true
-        type: choice
-        description: Which npm tag should this be published to?
-        options:
-          - latest
+        required: false
+        type: string
+        description: npm version (major, minor, or patch)
 
 jobs:
   release-ionicons:
@@ -31,7 +21,7 @@ jobs:
       - name: Publish to NPM
         uses: ./.github/workflows/actions/publish-npm
         with:
-          tag: ${{ inputs.tag }}
+          tag: latest
           version: ${{ inputs.version }}
           working-directory: './'
           token: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml
new file mode 100644
index 000000000..9786ab8a8
--- /dev/null
+++ b/.github/workflows/release-orchestrator.yml
@@ -0,0 +1,33 @@
+name: 'Release Orchestrator'
+
+on:
+    workflow_dispatch:
+        inputs:
+            release-type:
+                description: 'Release type'
+                required: true
+                type: choice
+                options:
+                    - dev
+                    - production
+            version:
+                description: 'Version for production releases'
+                required: false
+                type: choice
+                options:
+                    - patch
+                    - minor
+                    - major
+
+jobs:
+    run-dev:
+        if: ${{ inputs.release-type == 'dev' }}
+        uses: ./.github/workflows/dev-release.yml
+        secrets: inherit
+
+    run-production:
+        if: ${{ inputs.release-type == 'production' }}
+        uses: ./.github/workflows/production-release.yml
+        secrets: inherit
+        with:
+            version: ${{ inputs.version }}
\ No newline at end of file
diff --git a/.github/workflows/build.yml b/.github/workflows/validation.yml
similarity index 98%
rename from .github/workflows/build.yml
rename to .github/workflows/validation.yml
index 0b1f1ddf1..f79d94a5d 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/validation.yml
@@ -1,4 +1,4 @@
-name: 'Ionicons Build'
+name: 'Validation'
 
 on:
   pull_request:

From e7f344bb767f8dd774b3203b7bc88883cdc0b931 Mon Sep 17 00:00:00 2001
From: Jacob Bell <228905018+OS-jacobbell@users.noreply.github.com>
Date: Fri, 6 Mar 2026 07:38:03 -0700
Subject: [PATCH 2/2] chore(worflows): configure for npm trusted publishers

---
 .github/workflows/actions/publish-npm/action.yml | 10 ----------
 .github/workflows/dev-release.yml                |  1 -
 .github/workflows/production-release.yml         |  1 -
 .github/workflows/release-orchestrator.yml       |  6 +++++-
 4 files changed, 5 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/actions/publish-npm/action.yml b/.github/workflows/actions/publish-npm/action.yml
index 72a520b25..fce7c85ca 100644
--- a/.github/workflows/actions/publish-npm/action.yml
+++ b/.github/workflows/actions/publish-npm/action.yml
@@ -10,13 +10,9 @@ inputs:
   folder:
     default: './'
     description: 'A folder containing a package.json file.'
-  token:
-    description: 'The NPM authentication token required to publish.'
-
   createRelease:
     description: 'Create a release on GitHub.'
     default: 'false'
-
   ghToken:
     description: 'The GitHub authentication token required to create a release.'
 
@@ -49,12 +45,6 @@ runs:
       run: npm run build
       shell: bash
       working-directory: ${{ inputs.working-directory }}
-    - name: Prepare NPM Token
-      run: echo //registry.npmjs.org/:_authToken=${NPM_TOKEN} > .npmrc
-      working-directory: ${{ inputs.working-directory }}
-      shell: bash
-      env:
-        NPM_TOKEN: ${{ inputs.token }}
     - name: Publish to NPM
       run: npm publish ${{ inputs.folder }} --tag ${{ inputs.tag }} --provenance
       shell: bash
diff --git a/.github/workflows/dev-release.yml b/.github/workflows/dev-release.yml
index 1f325bcf9..96f08ba37 100644
--- a/.github/workflows/dev-release.yml
+++ b/.github/workflows/dev-release.yml
@@ -33,7 +33,6 @@ jobs:
           tag: dev
           version: ${{ needs.create-dev-hash.outputs.dev-hash }}
           working-directory: './'
-          token: ${{ secrets.NPM_TOKEN }}
           createRelease: 'false'
 
   get-build:
diff --git a/.github/workflows/production-release.yml b/.github/workflows/production-release.yml
index 8bde74962..20938cd04 100644
--- a/.github/workflows/production-release.yml
+++ b/.github/workflows/production-release.yml
@@ -24,6 +24,5 @@ jobs:
           tag: latest
           version: ${{ inputs.version }}
           working-directory: './'
-          token: ${{ secrets.NPM_TOKEN }}
           createRelease: true
           ghToken: ${{ secrets.IONITRON_TOKEN }}
diff --git a/.github/workflows/release-orchestrator.yml b/.github/workflows/release-orchestrator.yml
index 9786ab8a8..b8abf2d1a 100644
--- a/.github/workflows/release-orchestrator.yml
+++ b/.github/workflows/release-orchestrator.yml
@@ -19,6 +19,10 @@ on:
                     - minor
                     - major
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
     run-dev:
         if: ${{ inputs.release-type == 'dev' }}
@@ -30,4 +34,4 @@ jobs:
         uses: ./.github/workflows/production-release.yml
         secrets: inherit
         with:
-            version: ${{ inputs.version }}
\ No newline at end of file
+            version: ${{ inputs.version }}