From 9d6d333dc720605e9a4e07fd9c0ba182ae6cd203 Mon Sep 17 00:00:00 2001
From: izzy <me@insrt.uk>
Date: Mon, 6 Apr 2026 12:23:55 +0100
Subject: [PATCH] ci: use trusted publishing

Signed-off-by: izzy <me@insrt.uk>
---
 .github/workflows/build_and_publish.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/build_and_publish.yml b/.github/workflows/build_and_publish.yml
index 2f09c28..bfd2095 100644
--- a/.github/workflows/build_and_publish.yml
+++ b/.github/workflows/build_and_publish.yml
@@ -12,6 +12,7 @@ jobs:
     permissions:
       contents: write
       id-token: write
+      packages: write
 
     steps:
       - name: Checkout repository
@@ -60,10 +61,8 @@ jobs:
           message: "chore: bump version to ${{ steps.check-api.outputs.api-version }} [skip ci]"
 
       - name: Publish to npm
-        run: npm publish --provenance --ignore-scripts
+        run: pnpm publish --access public --provenance --no-git-checks
         if: steps.check-tag.outputs.exists == 'false'
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Checkout stoat.js repository
         if: steps.check-tag.outputs.exists == 'false'