From 21ccb0ee6f70b63d61f66f942b4902ba26883cbb Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Fri, 31 Oct 2025 13:55:37 -0600
Subject: [PATCH 1/3] Update node and permissions to allow publishing via OIDC

See https://github.com/Expensify/Expensify/issues/558148
---
 .github/workflows/publish.yml | 5 +++++
 .nvmrc                        | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 .nvmrc

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index d31399e..39a4420 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -4,6 +4,11 @@ on:
     push:
         branches: [main]
 
+permissions:
+  # Required for OIDC: https://docs.npmjs.com/trusted-publishers
+  id-token: write
+  contents: read
+
 # Ensure that only one instance of this workflow executes at a time.
 # If multiple PRs are merged in quick succession, there will only ever be one publish workflow running and one pending.
 concurrency: ${{ github.workflow }}
diff --git a/.nvmrc b/.nvmrc
new file mode 100644
index 0000000..0a49261
--- /dev/null
+++ b/.nvmrc
@@ -0,0 +1 @@
+24.11.0

From fbf09a87786ab0af3a39f89ae29059c3684b7b97 Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Fri, 31 Oct 2025 14:10:39 -0600
Subject: [PATCH 2/3] Fix version hashes

---
 .github/workflows/style_and_syntax_checks.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/style_and_syntax_checks.yml b/.github/workflows/style_and_syntax_checks.yml
index 97ce30a..829a2a8 100644
--- a/.github/workflows/style_and_syntax_checks.yml
+++ b/.github/workflows/style_and_syntax_checks.yml
@@ -8,13 +8,13 @@ jobs:
     checks:
         runs-on: ubuntu-latest
         steps:
-            - name: Checkout code
-              uses: actions/checkout@v3
+            # v4.2.2
+            - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
-            - name: Setup Node
-              uses: actions/setup-node@v3
+            # v4.3.0
+            - uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e
               with:
-                  node-version: 18
+                  node-version-file: '.nvmrc'
                   cache: npm
 
             - name: Install dependencies

From e0e09c161e26fdbe9cd5688a5bb0196eeaefe05c Mon Sep 17 00:00:00 2001
From: Andrew Gable <andrew@expensify.com>
Date: Fri, 31 Oct 2025 14:13:13 -0600
Subject: [PATCH 3/3] Fix style

---
 .github/workflows/publish.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 39a4420..2d5e55d 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,9 +5,9 @@ on:
         branches: [main]
 
 permissions:
-  # Required for OIDC: https://docs.npmjs.com/trusted-publishers
-  id-token: write
-  contents: read
+    # Required for OIDC: https://docs.npmjs.com/trusted-publishers
+    id-token: write
+    contents: read
 
 # Ensure that only one instance of this workflow executes at a time.
 # If multiple PRs are merged in quick succession, there will only ever be one publish workflow running and one pending.