From 23d7e0d844428b1321a67a97515671a3034d88c8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?David=20Test=C3=A9?= <david.teste@zama.ai>
Date: Thu, 16 Oct 2025 10:44:11 +0200
Subject: [PATCH] chore(ci): use trusted publishing for npm packages

---
 .github/workflows/make_release_tfhe.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/make_release_tfhe.yml b/.github/workflows/make_release_tfhe.yml
index 0c8046c26..f7ffac5c0 100644
--- a/.github/workflows/make_release_tfhe.yml
+++ b/.github/workflows/make_release_tfhe.yml
@@ -64,7 +64,7 @@ jobs:
     # For provenance of npmjs publish
     permissions:
       contents: read
-      id-token: write # also needed for OIDC token exchange on crates.io
+      id-token: write # also needed for OIDC token exchange on crates.io and npmjs.com
     steps:
       - name: Checkout
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -83,11 +83,16 @@ jobs:
         run: |
           make build_web_js_api_parallel
 
+      - name: Authenticate on NPM
+        uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+
       - name: Publish web package
         if: ${{ inputs.push_web_package }}
         uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b
         with:
-          token: ${{ secrets.NPM_TOKEN }}
           package: tfhe/pkg/package.json
           dry-run: ${{ inputs.dry_run }}
           tag: ${{ env.NPM_TAG }}
@@ -105,7 +110,6 @@ jobs:
         if: ${{ inputs.push_node_package }}
         uses: JS-DevTools/npm-publish@7f8fe47b3bea1be0c3aec2b717c5ec1f3e03410b
         with:
-          token: ${{ secrets.NPM_TOKEN }}
           package: tfhe/pkg/package.json
           dry-run: ${{ inputs.dry_run }}
           tag: ${{ env.NPM_TAG }}