From 89193a5da6be2209b53cd25f24c5ece270bf7d00 Mon Sep 17 00:00:00 2001
From: gnbm <goncalo.martins@outsystems.com>
Date: Sat, 8 Nov 2025 23:34:54 +0000
Subject: [PATCH 1/2] Update release yaml to use trusted publishers approach

---
 .github/workflows/cd.yml | 25 ++++++++++++++-----------
 .github/workflows/ci.yml | 10 +++++-----
 2 files changed, 19 insertions(+), 16 deletions(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index d90040a..b141e9f 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -5,33 +5,36 @@ on:
     branches:
       - stable
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     name: Build, Test, and Deploy
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
-          node-version: 18
-      - name: Configure Identity
+          node-version: 20
+          registry-url: 'https://registry.npmjs.org'
+      - name: 🔒 Configure Identity
         run: |
           git config user.name github-actions
           git config user.email github-actions@github.com
-      - name: Prepare NPM Token
-        run: echo //registry.npmjs.org/:_authToken=${NPM_TOKEN} > .npmrc
+      - name: 🟢 Ensure Latest npm
+        run: npm install -g npm@latest
         shell: bash
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-      - name: Install Dependencies
+      - name: 📦 Install Dependencies
         run: npm ci --no-package-lock
         shell: bash
-      - name: Bootstrap
+      - name: 🔄 Bootstrap
         run: npm run bootstrap -- --ignore-scripts
         shell: bash
-      - name: Release
+      - name: 🚀 Release
         run: npm run publish:ci
         shell: bash
         env:
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 5e2dbea..981d069 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -10,19 +10,19 @@ on:
 
 jobs:
   build-and-test:
-    name: Build and Test (Node ${{ matrix.node }})
+    name: 🏗️ Build and Test (Node ${{ matrix.node }})
     runs-on: ubuntu-latest
     timeout-minutes: 30
     strategy:
       matrix:
         node:
-          - 18.x
+          - 20.x
     steps:
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
         with:
           node-version: ${{ matrix.node }}
-      - uses: actions/checkout@v4
-      - name: Restore Dependency Cache
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - name: 🔄 Restore Dependency Cache
         uses: actions/cache@v4
         with:
           path: ~/.npm

From d51f90b9413c05b42aea85ac63503ad94719a4c8 Mon Sep 17 00:00:00 2001
From: gnbm <goncalo.martins@outsystems.com>
Date: Sun, 9 Nov 2025 14:45:31 +0000
Subject: [PATCH 2/2] Update cd.yml

---
 .github/workflows/cd.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
index b141e9f..4f9d34c 100644
--- a/.github/workflows/cd.yml
+++ b/.github/workflows/cd.yml
@@ -35,7 +35,7 @@ jobs:
         run: npm run bootstrap -- --ignore-scripts
         shell: bash
       - name: 🚀 Release
-        run: npm run publish:ci
+        run: npm run publish:ci -- --provenance
         shell: bash
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}