From a2b9bfadc6395c037e08eb940074f770b4d68cf5 Mon Sep 17 00:00:00 2001
From: George Raduta <george.raduta@cern.ch>
Date: Wed, 7 Jan 2026 12:30:23 +0100
Subject: [PATCH 1/2] Adapt release action to use NPM trusted publishers

---
 .github/workflows/release.yml | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 6d8d17740b..a12dcaf2e1 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -1,12 +1,13 @@
 name: release
-permissions:
-  contents: write
-  packages: write
-  actions: write
 on:
   release:
     types: [created]
   workflow_dispatch:
+
+permissions:
+  contents: write
+  id-token: write
+
 jobs:
   deploy-npm-module:
     runs-on: ubuntu-latest
@@ -35,8 +36,6 @@ jobs:
         echo "version=$VERSION" >> $GITHUB_OUTPUT
         echo "PROJECT=$PROJECT" >> $GITHUB_ENV
     - run: npm publish
-      env:
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_DEPLOY_TOKEN }}
   upload-asset:
     runs-on: ubuntu-latest
     needs: deploy-npm-module

From 5302232a6bc12ed70c85c712920518064e1111db Mon Sep 17 00:00:00 2001
From: George Raduta <george.raduta@cern.ch>
Date: Wed, 7 Jan 2026 16:40:21 +0100
Subject: [PATCH 2/2] Use Node 24 to force NPM 11 for trusted publisher feature

---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a12dcaf2e1..3a355a1037 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -17,7 +17,7 @@ jobs:
     - uses: actions/checkout@v6
     - uses: actions/setup-node@v6
       with:
-        node-version: '22.x'
+        node-version: '24.x'
         registry-url: 'https://registry.npmjs.org'
     - name: Check released tag matches ALICE O2 naming pattern
       run: |