From acf4281e6e92a9bdeddff665dd34b7d1521602b1 Mon Sep 17 00:00:00 2001
From: Daniel Tebbutt <daniel@shift72.com>
Date: Mon, 16 Mar 2026 15:35:55 +1300
Subject: [PATCH] Hypothetically this should work with OIDC like this

As long as node 24 is happy. Not going to spend time on this though.
---
 .github/workflows/publish-release.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml
index da1744d..cb5f9cb 100644
--- a/.github/workflows/publish-release.yml
+++ b/.github/workflows/publish-release.yml
@@ -6,6 +6,9 @@ on:
   release:
     types: [created]
 
+permissions:
+  id-token: write
+
 jobs:
   sanity-checks:
     name: Prerelease sanity checks
@@ -14,7 +17,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: '16.x'
+          node-version: '24'
       - name: Ensure kibble-npm package version matches the tag
         env:
           WORKFLOW_REF: ${{github.ref_name}}
@@ -92,7 +95,7 @@ jobs:
         uses: actions/checkout@v4
       - uses: actions/setup-node@v4
         with:
-          node-version: '16.x'
+          node-version: '24'
           registry-url: "https://registry.npmjs.org"
       - name: Install deps
         working-directory: kibble-npm
@@ -100,8 +103,6 @@ jobs:
       - name: Publish wrapper package to npm
         working-directory: kibble-npm
         run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
   publish-staging-builder:
     name: Publish staging builder
     needs: publish-npm