From 43fcc5d10265540dd19317f73f7092ac044a7044 Mon Sep 17 00:00:00 2001
From: Peter Johnson <738069+missinglink@users.noreply.github.com>
Date: Fri, 5 Dec 2025 13:16:10 +0100
Subject: [PATCH] feat(npm): configure CI for NPM OIDC Tokens

---
 .github/workflows/push.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index 8c1f92953..2f71020ef 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -6,19 +6,21 @@ jobs:
   npm-publish:
     needs: unit-tests
     if: github.ref == 'refs/heads/master' && needs.unit-tests.result == 'success'
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    permissions:
+      id-token: write
+      contents: write
     steps:
       - uses: actions/checkout@v4
       - name: Install Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20.x
+          node-version: 22.x
       - name: Run semantic-release
         env:
-          GH_TOKEN: ${{ secrets.GH_SEMANTIC_RELEASE_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: >
-          if [[ -n "$GH_TOKEN" && -n "$NPM_TOKEN" ]]; then
+          if [[ "${{ github.repository_owner }}" == "pelias" ]]; then
             curl "https://raw.githubusercontent.com/pelias/ci-tools/master/semantic-release.sh" | bash -
           fi
   build-docker-images:
@@ -26,7 +28,7 @@ jobs:
     # note: github actions won't run a job if you don't call one of the status check functions, so `always()` is called since it evalutes to `true`
     if: ${{ always() && needs.unit-tests.result == 'success' && (needs.npm-publish.result == 'success' || needs.npm-publish.result == 'skipped') }}
     needs: [unit-tests, npm-publish]
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@v4
       - name: Build Docker images