From 8b4431b6786da7114e70a8ee0bf63dfdb8994f87 Mon Sep 17 00:00:00 2001
From: Dave Bullough <591834+drb@users.noreply.github.com>
Date: Mon, 2 Feb 2026 14:12:54 +0000
Subject: [PATCH 1/3] fix(ci): update workflow to use OIDC instead of tokens

---
 .github/workflows/publish.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 3a8b462..56a3fa3 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -21,6 +21,9 @@ jobs:
   publish:
     needs: test
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
@@ -29,6 +32,4 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
           cache: 'npm'
       - run: npm ci
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --provenance --access public

From a6ff89444fbf7a4816adb532afb10ebb503dba64 Mon Sep 17 00:00:00 2001
From: Dave Bullough <591834+drb@users.noreply.github.com>
Date: Mon, 2 Feb 2026 14:19:52 +0000
Subject: [PATCH 2/3] fix(ci): remove registry-url from publish.yml

---
 .github/workflows/publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 56a3fa3..7ef4605 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -29,7 +29,7 @@ jobs:
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
-          registry-url: 'https://registry.npmjs.org'
           cache: 'npm'
+      - run: npm config set registry https://registry.npmjs.org/
       - run: npm ci
       - run: npm publish --provenance --access public

From 786d53dc97cf36cfab197258c4c47239bddeb434 Mon Sep 17 00:00:00 2001
From: Dave Bullough <591834+drb@users.noreply.github.com>
Date: Mon, 2 Feb 2026 14:22:00 +0000
Subject: [PATCH 3/3] fix(ci): fix workflow deployment

---
 .github/workflows/publish.yml | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 7ef4605..3a8b462 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -21,15 +21,14 @@ jobs:
   publish:
     needs: test
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write
     steps:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
           node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
           cache: 'npm'
-      - run: npm config set registry https://registry.npmjs.org/
       - run: npm ci
-      - run: npm publish --provenance --access public
+      - run: npm publish
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}