From 5e6c6223c0c713d7e0cba5f15e21124177ea0f2f Mon Sep 17 00:00:00 2001
From: Rob Hogan <2590098+robhogan@users.noreply.github.com>
Date: Wed, 24 Jun 2026 15:35:01 +0300
Subject: [PATCH] Enable npm trusted publish

 - Run `release.yml` with the `npm-publish` [environment](https://docs.github.com/en/actions/how-tos/deploy/configure-and-manage-deployments/manage-environments)
 - Bump to running `npm publish` under latest Node LTS - `npm` CLI >= 11.5 (bundled with Node v24) is required for trusted publish.
 - Remove unused `NPM_TOKEN`
---
 .github/workflows/release.yaml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index c721148..4e7d6f3 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -20,6 +20,7 @@ on:
 jobs:
   publish_template:
     runs-on: ubuntu-latest
+    environment: npm-publish
     steps:
       - name: Safeguard against branch name
         run: |
@@ -32,7 +33,7 @@ jobs:
       - name: Setup node.js
         uses: actions/setup-node@v4.0.0
         with:
-          node-version: 22
+          node-version: 'lts/*'
           registry-url: 'https://registry.npmjs.org'
       - name: Determine new template version
         run: echo "VERSION=$(./scripts/bumpedTemplateVersion.sh ${{ inputs.version }})" >> $GITHUB_ENV
@@ -57,8 +58,6 @@ jobs:
           "${GIT[@]}" tag $VERSION
           "${GIT[@]}" push --tags
       - name: Publish on NPM (with tag if needed)
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
           args=(--dry-run)
           if [ "${{ inputs.dry_run }}" = "false" ]; then