From 656bb3a3d26760edd2915800e8d1877b9e8aed89 Mon Sep 17 00:00:00 2001
From: Gareth Jones <3151613+G-Rath@users.noreply.github.com>
Date: Fri, 24 Oct 2025 07:19:34 +1300
Subject: [PATCH] ci: switch to using OIDC for publishing releases

---
 .github/workflows/validate.yml | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
index 26596e7..bcb2528 100644
--- a/.github/workflows/validate.yml
+++ b/.github/workflows/validate.yml
@@ -85,6 +85,11 @@ jobs:
         uses: codecov/codecov-action@v3
 
   release:
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for trusted publishing and npm provenance
     needs: main
     runs-on: ubuntu-latest
     if: ${{ github.repository == 'testing-library/eslint-plugin-jest-dom' &&
@@ -97,7 +102,12 @@ jobs:
       - name: ⎔ Setup node
         uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 22
+
+        # todo: this can be removed once we are using a version of Node that
+        #  ships with npm v11.5.1 or higher, which is needed for using oidc
+      - name: install latest npm
+        run: npm i -g npm
 
       - name: 📥 Download deps
         uses: bahmutov/npm-install@v1
@@ -112,7 +122,7 @@ jobs:
       - name: 🚀 Release
         uses: cycjimmy/semantic-release-action@v4
         with:
-          semantic_version: 18
+          semantic_version: 25
           branches: |
             [
               '+([0-9])?(.{+([0-9]),x}).x',
@@ -124,4 +134,3 @@ jobs:
             ]
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}