From 29f700ef4bbfbe41627386f9708054d2b109fca7 Mon Sep 17 00:00:00 2001
From: khooihongzhe <hongzhe@coingecko.com>
Date: Mon, 11 May 2026 17:16:55 +0800
Subject: [PATCH 1/2] chore: migrate npm publish to Trusted Publishing (OIDC)

Drops the long-lived NPM_TOKEN secret in favor of npm Trusted Publishing.
GitHub Actions OIDC tokens authenticate the publish, scoped to this
repo+workflow combo, so publish capability cannot be exercised from
elsewhere even if repo write access leaks.

- Add 'Upgrade npm' step so the CLI is >= 11.5.1 (setup-node@v6 ships
  npm 10.x, which doesn't support trusted publishing)
- Remove NODE_AUTH_TOKEN env from the publish step

Requires Trusted Publisher to be configured on all 7 packages on
npmjs.com before this merges, otherwise the next release fails.
---
 .github/workflows/release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a547765..7b83e50 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -34,6 +34,10 @@ jobs:
           node-version: "20"
           registry-url: "https://registry.npmjs.org"
 
+      # npm Trusted Publishing requires npm >= 11.5.1; setup-node@v6 ships npm 10.x.
+      - name: Upgrade npm
+        run: npm install -g npm@latest
+
       - name: Smoke test npm packages
         run: |
           VERSION="${GITHUB_REF_NAME#v}"
@@ -43,5 +47,3 @@ jobs:
         run: |
           VERSION="${GITHUB_REF_NAME#v}"
           VERSION="$VERSION" scripts/npm-publish.sh
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

From dd1bfd5d6a8d65f5839b0b10ad2bbea7ded64c2d Mon Sep 17 00:00:00 2001
From: khooihongzhe <hongzhe@coingecko.com>
Date: Mon, 11 May 2026 17:32:08 +0800
Subject: [PATCH 2/2] ci: bump Node 20 to 24 and drop explicit npm upgrade

Node 24 LTS ships npm 11.x natively, which already satisfies the
>= 11.5.1 requirement for Trusted Publishing. The 'Upgrade npm' step
becomes redundant.
---
 .github/workflows/release.yml | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 7b83e50..050356a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,13 +31,9 @@ jobs:
 
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://registry.npmjs.org"
 
-      # npm Trusted Publishing requires npm >= 11.5.1; setup-node@v6 ships npm 10.x.
-      - name: Upgrade npm
-        run: npm install -g npm@latest
-
       - name: Smoke test npm packages
         run: |
           VERSION="${GITHUB_REF_NAME#v}"