From 4bb7318584b7e9784795994d945e620abf7c86bb Mon Sep 17 00:00:00 2001
From: Jessica G <jwagantall@linuxfoundation.org>
Date: Fri, 26 Sep 2025 16:07:39 -0700
Subject: [PATCH] Update node-bindings.yml with permissions

Added permissions for id-token and contents in the workflow.

Signed-off-by: Jessica G <jwagantall@linuxfoundation.org>
---
 .github/workflows/node-bindings.yml | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/node-bindings.yml b/.github/workflows/node-bindings.yml
index 42bf8bd..e3da558 100644
--- a/.github/workflows/node-bindings.yml
+++ b/.github/workflows/node-bindings.yml
@@ -8,6 +8,10 @@ on:
     branches: [ main ]
   workflow_dispatch:
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   ci_checks:
     name: Build checks
@@ -39,6 +43,10 @@ jobs:
         cache-dependency-path: bindings/node/package-lock.json
         registry-url: https://registry.npmjs.org/
 
+    # anchor to the smallest npm version supporting trusted publishing
+    - name: Update npm
+      run: npm install -g npm@11.5.1
+
     - name: Set up Go
       uses: actions/setup-go@v5
       with:
@@ -65,4 +73,3 @@ jobs:
       env:
         NPM_CONFIG_DRY_RUN: ${{ ( github.ref == 'refs/heads/main' || needs.ci_checks.outputs.publish_release == 'true' ) && 'false' || 'true' }}
         NPM_PUBLISH_TAG: ${{ ( needs.ci_checks.outputs.publish_release == 'true' ) && 'next' || 'next-unstable' }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}