From ddfc10eae4e6888df883507cd0334aef6743f7c6 Mon Sep 17 00:00:00 2001
From: Strift <lau.cazanove@gmail.com>
Date: Thu, 11 Dec 2025 15:28:31 +0800
Subject: [PATCH 1/2] Update permissions

---
 .github/workflows/publish.yml | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 1a265896..ae54e7c5 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -3,6 +3,10 @@ on:
   release:
     types: [published]
 
+permissions:
+  id-token: write # Required for OIDC
+  contents: read
+
 jobs:
   publish-npm:
     runs-on: ubuntu-18.04
@@ -12,7 +16,7 @@ jobs:
         with:
           node-version: 16
           registry-url: https://registry.npmjs.org/
-          cache: 'yarn'
+          cache: "yarn"
       - name: Check release validity
         run: sh .github/scripts/check-release.sh
       - name: Check tag format

From 19e2d31da61c4c1a55e4b7b758e525331c5ca36a Mon Sep 17 00:00:00 2001
From: Strift <lau.cazanove@gmail.com>
Date: Sat, 13 Dec 2025 11:31:39 +0800
Subject: [PATCH 2/2] Remove auth token secret

---
 .github/workflows/publish.yml | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index ae54e7c5..68397a26 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -28,10 +28,6 @@ jobs:
       - name: Publish with latest tag
         if: "!github.event.release.prerelease && !contains(github.ref, 'beta')"
         run: npm publish .
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
       - name: Publish with beta tag
         if: "github.event.release.prerelease && contains(github.ref, 'beta')"
         run: npm publish . --tag beta
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}