From c19e2039833ba6843e9c849c18b1ed7053a5290d Mon Sep 17 00:00:00 2001
From: JesseKuntz <jessekuntz96@gmail.com>
Date: Mon, 23 Feb 2026 15:07:16 -0500
Subject: [PATCH 1/2] fix: explicitly fetch oidc token

---
 .github/workflows/release.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 49541ed..1745237 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -5,6 +5,8 @@ on:
     branches:
       - main
 
+  workflow_dispatch:
+
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 permissions:
@@ -33,6 +35,17 @@ jobs:
       - name: Install dependencies
         run: pnpm install --frozen-lockfile
 
+      - name: Get npm token via OIDC
+        id: npm-token
+        run: |
+          OIDC_TOKEN=$(curl -sS -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
+            "${ACTIONS_ID_TOKEN_REQUEST_URL}&audience=npm:registry.npmjs.org" | jq -r '.value')
+          NPM_TOKEN=$(curl -sS -X POST "https://registry.npmjs.org/-/npm/v1/oidc/token/exchange/package/@figmentio%2felements" \
+            -H "Authorization: Bearer $OIDC_TOKEN" \
+            -H "Content-Type: application/json" | jq -r '.token')
+          echo "NPM_TOKEN=$NPM_TOKEN" >> "$GITHUB_ENV"
+          echo "::add-mask::$NPM_TOKEN"
+
       - name: Publish to NPM
         id: changesets
         uses: changesets/action@ce079ea084e08a340947ed4d6ecedb2433c8f293
@@ -40,6 +53,7 @@ jobs:
           publish: pnpm release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ env.NPM_TOKEN }}
         continue-on-error: true
 
       # Add single retry if first attempt fails
@@ -50,6 +64,7 @@ jobs:
           publish: pnpm release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          NPM_TOKEN: ${{ env.NPM_TOKEN }}
 
       # - name: Send a Slack notification if a publish happens
       #   if: steps.changesets.outputs.published == 'true'

From f56c9d3a171b4e736e27ab29137019ea67f46a49 Mon Sep 17 00:00:00 2001
From: JesseKuntz <jessekuntz96@gmail.com>
Date: Mon, 23 Feb 2026 16:04:36 -0500
Subject: [PATCH 2/2] fix: allow for tag pushing

---
 .github/workflows/release.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 1745237..2b5300f 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -10,8 +10,8 @@ on:
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 permissions:
-  contents: read
-  id-token: write # Required for npm trusted publishing (OIDC)
+  contents: write  # Push tags (and version bump commits) after publish
+  id-token: write  # Required for npm trusted publishing (OIDC)
 
 jobs:
   release: