From fc725706cf1727803960e55aba6dcb36b7272010 Mon Sep 17 00:00:00 2001
From: Tommy Hu <tommy_20040909@outlook.com>
Date: Tue, 28 Apr 2026 10:24:53 -0700
Subject: [PATCH 1/2] chore: use npm trusted publishing

Replace classic npm token with OIDC-based trusted publishing.
The previous token expired 2026-04-13.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index f506cb26..792f58b6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,6 +10,10 @@ jobs:
   release:
     if: github.event.workflow_run.conclusion == 'success'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: write
+      actions: read
     steps:
       - uses: actions/checkout@v5
 
@@ -18,6 +22,9 @@ jobs:
           node-version: 24
           registry-url: https://registry.npmjs.org/
 
+      - name: Update npm for trusted publishing
+        run: npm install -g npm@latest
+
       - name: Get package version
         id: version
         run: echo "version=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT
@@ -49,5 +56,3 @@ jobs:
 
       - name: Publish to npm
         run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.npm_token }}

From 2ad60d304d71fe94e29af263390517c42e97dae2 Mon Sep 17 00:00:00 2001
From: Tommy Hu <tommy_20040909@outlook.com>
Date: Tue, 28 Apr 2026 11:02:38 -0700
Subject: [PATCH 2/2] chore: drop redundant npm@latest install

Node 24 ships with npm 11.12.1+, well past the 11.5.1 minimum for
trusted publishing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 792f58b6..e63f0c7c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -22,9 +22,6 @@ jobs:
           node-version: 24
           registry-url: https://registry.npmjs.org/
 
-      - name: Update npm for trusted publishing
-        run: npm install -g npm@latest
-
       - name: Get package version
         id: version
         run: echo "version=$(node -p "require('./package.json').version")" >> $GITHUB_OUTPUT