ci: Switch to Trusted Publishing for NPM

See https://docs.npmjs.com/trusted-publishers

Author: kadler

.github/npm-tag.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+case "$1" in
+    *-rc*) echo tag=rc;;
+    *-beta*) echo tag=beta;;
+    *-alpha*) echo tag=alpha;;
+    *) echo tag=latest;;
+esac
+

.github/workflows/create-release.yml

@@ -4,6 +4,10 @@ on:
   push:
     tags: ["v*"]
 
+permissions:
+  id-token: write  # Required for OIDC
+  contents: read
+
 jobs:
   build-matrix:
     strategy:
@@ -56,6 +60,11 @@ jobs:
     - name: get-npm-version
       id: package-version
       run: jq -r '"version=" + .version' package.json  >> "$GITHUB_OUTPUT"
+    - name: get-npm-tag
+      id: package-tag
+      run: .github/npm-tag.sh $PACKAGE_VERSION >> "$GITHUB_OUTPUT"
+      env:
+        PACKAGE_VERSION: ${{ steps.package-version.outputs.version }}
     # Download all of the various binaries that were created
     - name: Download built binaries from workflow
       uses: actions/download-artifact@v5
@@ -75,6 +84,10 @@ jobs:
         files:
           ./binaries/odbc-*.tar.gz
     - name: Publish to NPM
-      uses: JS-DevTools/npm-publish@v3
+      uses: actions/setup-node@v4
       with:
-        token: ${{ secrets.NPM_TOKEN }}
+        node-version: '24'
+        registry-url: 'https://registry.npmjs.org'
+    - run: npm publish --tag $PACKAGE_TAG
+      env:
+        PACKAGE_TAG: ${{ steps.package-tag.outputs.tag }}