Revert "chore: use trusted publishing"

Minishlink · Minishlink · commit 3d80380e25b0 · 2026-02-13T00:11:39.000+01:00
This reverts commit edefcea. Does not handle reusable workflows And also https://openjsf.org/blog/publishing-securely-on-npm
diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml
@@ -8,7 +8,6 @@ runs:
       uses: actions/setup-node@v4
       with:
         node-version-file: .node-version
-        registry-url: "https://registry.npmjs.org"
 
     - run: corepack enable
       shell: bash
diff --git a/.github/workflows/onRelease.yml b/.github/workflows/onRelease.yml
@@ -4,10 +4,6 @@ on:
   release:
     types: [published]
 
-permissions:
-  id-token: write
-  contents: read
-
 jobs:
   publish:
     runs-on: ubuntu-latest
@@ -28,5 +24,7 @@ jobs:
             echo "NPM_TAG=latest" >> $GITHUB_OUTPUT
           fi
 
-      - name: Publish
-        run: npm publish --tag ${{ steps.set-npm-tag.outputs.NPM_TAG }}
+      - uses: JS-DevTools/npm-publish@19c28f1ef146469e409470805ea4279d47c3d35c
+        with:
+          token: "${{ secrets.NPM_TOKEN }}"
+          tag: ${{ steps.set-npm-tag.outputs.NPM_TAG }}
