From af6fe9fcdb7118b194a3577eea90c115a4570042 Mon Sep 17 00:00:00 2001
From: Brian Smith <112954497+brian-smith-tcril@users.noreply.github.com>
Date: Tue, 27 Jan 2026 09:14:11 -0500
Subject: [PATCH] chore(ci): update semantic release workflow to use OIDC
 (#660)

---
 .github/workflows/release.yml | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 068bb1a..7bf25d0 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -4,10 +4,17 @@ on:
     branches:
     - master
     - alpha
+permissions:
+  contents: read # for checkout
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for trusted publishing and npm provenance
     steps:
     - name: Checkout
       uses: actions/checkout@v5
@@ -39,9 +46,6 @@ jobs:
     - name: Build
       run: npm run build
     - name: Release
-      uses: cycjimmy/semantic-release-action@v3
-      with:
-        semantic_version: 16
       env:
         GITHUB_TOKEN: ${{ secrets.SEMANTIC_RELEASE_GITHUB_TOKEN }}
-        NPM_TOKEN: ${{ secrets.SEMANTIC_RELEASE_NPM_TOKEN }}
+      run: npx semantic-release@25