Boehringer-Ingelheim
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 13 additions & 4 deletions b/‎.github/workflows/release.yml‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎.npmrc‎
Lines changed: 2 additions & 1 deletion b/‎.npmrc‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.releaserc.js‎
Lines changed: 0 additions & 8 deletions b/‎.releaserc.js‎
Lines changed: 0 additions & 8 deletions
@@ -7,26 +7,35 @@ on:
       - next
       - feature/**
 
+permissions:
+  contents: read # for checkout
+
 jobs:
   release:
     env:
       # Disable husky (git hooks) in CI, see: https://typicode.github.io/husky/#/?id=disable-husky-in-cidocker
       HUSKY: 0
     name: Release
     runs-on: ubuntu-24.04
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for npm provenance
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
         with:
           fetch-depth: 0
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
+          cache: npm
           node-version-file: '.nvmrc'
           registry-url: https://registry.npmjs.org/
-          cache: npm
       - name: Install Dependencies
         run: npm clean-install
+      - name: Verify the integrity of provenance attestations and registry signatures for installed dependencies
+        run: npm audit signatures
       - name: Release package to npm and GitHub
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npm run release:ci
@@ -2,5 +2,6 @@
 
 @boehringer-ingelheim:registry=https://registry.npmjs.org/
 
+# Publish Configuration: https://docs.npmjs.com/cli/v11/commands/npm-publish#configuration
 access=public
-always-auth=true
+provenance=true
@@ -15,15 +15,7 @@ module.exports = {
   plugins: [
     '@semantic-release/commit-analyzer',
     '@semantic-release/release-notes-generator',
-    '@semantic-release/changelog',
     '@semantic-release/npm',
-    [
-      '@semantic-release/git',
-      {
-        assets: ['CHANGELOG.md', 'README.md', 'package.json', 'package-lock.json'],
-        message: 'chore(release): ${nextRelease.version} [skip ci]\n\n${nextRelease.notes}',
-      },
-    ],
     '@semantic-release/github',
   ],
 };