From 232f9d9de673c46a739ad2aba1f01ee19b494047 Mon Sep 17 00:00:00 2001
From: Mark Pitman <mark@pitman.io>
Date: Wed, 15 Apr 2026 14:10:47 -0700
Subject: [PATCH] Fix the NPM publish job

Use OIDC "Trusted Publishing" instead of a token
---
 .github/workflows/publish.yml | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index 8e81b52..8bb5625 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -5,6 +5,9 @@ on:
   release:
     types: [released]
 
+permissions:
+  id-token: write
+  contents: read
 jobs:
   build:
     runs-on: ubuntu-latest
@@ -44,10 +47,8 @@ jobs:
       with:
         name: package
         path: .
-    - uses: actions/setup-node@v2
+    - uses: actions/setup-node@v6
       with:
-        node-version: 18.x
+        node-version: 24
         registry-url: 'https://registry.npmjs.org'
     - run: npm publish ./gettyimages-api-${{ steps.previoustag.outputs.tag }}.tgz
-      env:
-        NODE_AUTH_TOKEN: ${{secrets.NPM_AUTOMATION_KEY}}