fix: enable npm provenance with OIDC trusted publishing

Schero94 · Schero94 · commit 9b72e8324ebb · 2025-12-14T14:44:03.000+01:00
- Added OIDC comment documentation to workflow
- Prepares for signed npm packages with provenance
diff --git a/.github/workflows/semantic-release.yml b/.github/workflows/semantic-release.yml
@@ -5,14 +5,18 @@ on:
     branches:
       - main
 
+# OIDC Trusted Publishing - No npm tokens needed!
+# npm trusts GitHub Actions directly via OIDC
+# See: https://docs.npmjs.com/generating-provenance-statements
+
 jobs:
   release:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       issues: write
       pull-requests: write
-      id-token: write  # Required for npm provenance
+      id-token: write  # Required for OIDC trusted publishing
 
     steps:
       - name: Checkout
