From 1d81509e1a7ee0155c2cfabc4ca4a9a11861366e Mon Sep 17 00:00:00 2001
From: Nicolas Vuillamy <nicolas.vuillamy@gmail.com>
Date: Sat, 24 Jan 2026 10:54:03 +0100
Subject: [PATCH] chore(workflows): consolidate deployment workflows and
 implement OIDC for npm publishing

---
 .github/workflows/deploy-beta.yml    | 50 ----------------------
 .github/workflows/deploy-release.yml | 46 --------------------
 .github/workflows/deploy.yml         | 64 ++++++++++++++++++++++++++++
 CHANGELOG.md                         |  5 +++
 4 files changed, 69 insertions(+), 96 deletions(-)
 delete mode 100644 .github/workflows/deploy-beta.yml
 delete mode 100644 .github/workflows/deploy-release.yml
 create mode 100644 .github/workflows/deploy.yml

diff --git a/.github/workflows/deploy-beta.yml b/.github/workflows/deploy-beta.yml
deleted file mode 100644
index b639677..0000000
--- a/.github/workflows/deploy-beta.yml
+++ /dev/null
@@ -1,50 +0,0 @@
----
-#
-# Documentation:
-# https://help.github.com/en/articles/workflow-syntax-for-github-actions
-#
-
-#######################################
-# Start the job on all push to master #
-#######################################
-name: 'Build & Deploy - Beta'
-on:
-  push:
-    branches:
-      - main
-      - master
-
-permissions: read-all
-
-concurrency:
-  group: ${{ github.ref_name }}-${{ github.workflow }}
-  cancel-in-progress: true
-
-###############
-# Set the Job #
-###############
-jobs:
-
-  # Deploy to NPM
-  deploy_to_npm:
-    name: Deploy to NPM (beta)
-    runs-on: ubuntu-latest
-    permissions: read-all
-    environment:
-      name: beta
-    steps:
-      - uses: actions/checkout@v6
-      - uses: actions/setup-node@v6.2.0
-        with:
-          node-version: "24.x"
-          registry-url: "https://registry.npmjs.org"
-          scope: nvuillam
-      - run: npm ci
-      - run: |
-          git config --global user.name nvuillam
-          git config --global user.email nicolas.vuillamy@gmail.com
-      - run: BETAID=$(date '+%Y%m%d%H%M') && npm version prerelease --preid="beta$BETAID"
-        shell: bash
-      - run: npm publish --tag beta
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/deploy-release.yml b/.github/workflows/deploy-release.yml
deleted file mode 100644
index 0e41592..0000000
--- a/.github/workflows/deploy-release.yml
+++ /dev/null
@@ -1,46 +0,0 @@
----
-#
-# Documentation:
-# https://help.github.com/en/articles/workflow-syntax-for-github-actions
-#
-
-#######################################
-# Start the job on all push to master #
-#######################################
-name: 'Build & Deploy - RELEASE'
-on:
-  release:
-    # Want to run the automation when a release is created
-    types: ['created']
-
-permissions: read-all
-
-concurrency:
-  group: ${{ github.ref_name }}-${{ github.workflow }}
-  cancel-in-progress: true
-
-###############
-# Set the Job #
-###############
-jobs:
-  deploy_to_npm:
-    name: Deploy to NPM (release)
-    runs-on: ubuntu-latest
-    permissions: read-all
-    environment:
-      name: release
-    steps:
-      - uses: actions/checkout@v6
-      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v6.2.0
-        with:
-          node-version: "24.x"
-          registry-url: "https://registry.npmjs.org"
-          scope: nvuillam
-      - run: npm ci
-      - run: |
-          git config --global user.name nvuillam
-          git config --global user.email nicolas.vuillamy@gmail.com
-      - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
new file mode 100644
index 0000000..a928002
--- /dev/null
+++ b/.github/workflows/deploy.yml
@@ -0,0 +1,64 @@
+---
+name: 'Build & Deploy'
+
+on:
+  push:
+    branches:
+      - main
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+  id-token: write
+
+concurrency:
+  group: ${{ github.ref_name }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+jobs:
+  deploy_beta:
+    name: Deploy to NPM (beta)
+    if: github.event_name == 'push'
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24.x'
+          registry-url: 'https://registry.npmjs.org'
+          scope: nvuillam
+      - run: npm ci
+      - run: |
+          git config --global user.name nvuillam
+          git config --global user.email nicolas.vuillamy@gmail.com
+      - name: Bump beta prerelease version
+        run: |
+          BETAID=$(date '+%Y%m%d%H%M')
+          npm version prerelease --preid="beta${BETAID}"
+        shell: bash
+      - name: Publish beta package
+        run: npm publish --tag beta --provenance
+
+  deploy_release:
+    name: Deploy to NPM (release)
+    if: github.event_name == 'release' && github.event.action == 'created'
+    runs-on: ubuntu-latest
+    environment:
+      name: release
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '24.x'
+          registry-url: 'https://registry.npmjs.org'
+          scope: nvuillam
+      - run: npm ci
+      - run: |
+          git config --global user.name nvuillam
+          git config --global user.email nicolas.vuillamy@gmail.com
+      - name: Publish release package
+        run: npm publish --provenance
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2490b1c..3b3ee4d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,11 @@
 
 ## Unreleased
 
+## [4.3.2] 2025-01-24
+
+- Upgrade dependencies
+- Refactor workflows to use OIDC (npm Trusted Publishers) to publish package
+
 ## [4.3.1] 2025-12-04
 
 - Upgrade njre dependency