From ab31461878ef832611cd62e06b716ee45375670c Mon Sep 17 00:00:00 2001
From: Phillip Rak <rak.phillip@gmail.com>
Date: Fri, 12 Dec 2025 14:41:32 -0700
Subject: [PATCH] Update Rancher Icons release to use trusted providers

Signed-off-by: Phillip Rak <rak.phillip@gmail.com>
---
 .github/workflows/publish.yaml | 13 ++++++++++---
 publish.sh                     | 30 ++++++++++++++----------------
 2 files changed, 24 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
index 15d713c..1aeb388 100644
--- a/.github/workflows/publish.yaml
+++ b/.github/workflows/publish.yaml
@@ -6,6 +6,10 @@ on:
     paths:
     - 'package.json'
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -14,12 +18,15 @@ jobs:
     - name: Use Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: '14.x'
+        node-version: '20'
         registry-url: 'https://registry.npmjs.org'
         scope: '@rancher'        
+
+    # Ensure npm 11.5.1 or later is installed
+    - name: Update npm
+      run: npm install -g npm@latest
+
     - name: script
-      env:
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}        
       run: |
         git config --global user.name 'Rancher Icons'
         git config --global user.email 'noreply@rancher.com'
diff --git a/publish.sh b/publish.sh
index 6269643..586b9a8 100755
--- a/publish.sh
+++ b/publish.sh
@@ -62,26 +62,24 @@ else
   pushd ${UPLOAD}
 fi
 
-# Publish to npm if a node auth token is set in the environment
-if [ -n "${NODE_AUTH_TOKEN}" ]; then
-  echo "Publishing @rancher/icons to npm"
+# Publish to npm 
+echo "Publishing @rancher/icons to npm"
 
-  pwd
-  pushd ${DIST}
-  pwd
-  ls -al
-  
-  PUBLISH_ARGS="--no-git-tag-version --access public"
+pwd
+pushd ${DIST}
+pwd
+ls -al
 
-  yarn publish . --new-version ${VERSION} ${PUBLISH_ARGS}
-  RET=$?
+PUBLISH_ARGS="--no-git-tag-version --access public"
 
-  popd
+yarn publish . --new-version ${VERSION} ${PUBLISH_ARGS}
+RET=$?
 
-  if [ $RET -ne 0 ]; then
-    echo "Error publishing @rancher/icons package to npm"
-    exit $RET
-  fi
+popd
+
+if [ $RET -ne 0 ]; then
+  echo "Error publishing @rancher/icons package to npm"
+  exit $RET
 fi
 
 # Update the dist branch - this is the latest build of the icon font