From 2b7660f019244923df9c7ea97ec785495f256a2e Mon Sep 17 00:00:00 2001
From: Lukas May <lukas.may@carealytix.com>
Date: Fri, 6 Mar 2026 17:04:20 +0100
Subject: [PATCH] ci: Switch to OIDC trusted publishing for npm (no token
 needed)

---
 .gitlab-ci.yml | 7 +++++--
 .npmrc         | 2 ++
 2 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 .npmrc

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index 269153e..5a19048 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -4,14 +4,17 @@ stages:
 semantic-release:
   stage: release
   image: node:lts-alpine
+  id_tokens:
+    NPM_ID_TOKEN:
+      aud: "npm:registry.npmjs.org"
+    SIGSTORE_ID_TOKEN:
+      aud: sigstore
   before_script:
     - apk add git openssh
     - mkdir -p ~/.ssh
     - echo "$SSH_PRIVATE_KEY" > ~/.ssh/id_ed25519
     - ssh-keyscan -H gitlab.com >> ~/.ssh/known_hosts
     - chmod 600 ~/.ssh/id_ed25519
-    - export NPM_TOKEN="${NODE_AUTH_TOKEN}"
-    - echo "//registry.npmjs.org/:_authToken=${NPM_TOKEN}" >> .npmrc
     - npm install
     - npm run build
   script:
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 0000000..b079a14
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,2 @@
+registry=https://registry.npmjs.org/
+@carealytix:registry=https://registry.npmjs.org/