Merge pull request #528 from algorandfoundation/chore/update-to-oidc-publishing

Chore/update to OIDC publishing

Author: lempira

.github/workflows/release.yml

@@ -13,6 +13,7 @@ concurrency: release
 permissions:
   contents: write
   issues: read
+  id-token: write
 
 jobs:
   ci:
@@ -63,6 +64,8 @@ jobs:
     name: Release
     needs: build
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Generate bot token
         uses: actions/create-github-app-token@v1
@@ -82,9 +85,10 @@ jobs:
 
       # semantic-release needs node 20
       - name: Use Node.js 20.x
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20.x
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Download built package
         uses: actions/download-artifact@v4
@@ -105,4 +109,3 @@ jobs:
         run: npx semantic-release
         env:
           GITHUB_TOKEN: ${{ steps.app_token.outputs.token }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}

.nsprc

@@ -1,12 +1,7 @@
 {
-  "1109842": {
+  "1112496": {
     "active": true,
-    "notes": "Bundled dependency in NPM, which cannot be overriden and has no update available yet.",
-    "expiry": "2026-01-28"
-  },
-  "1112148": {
-    "active": true,
-    "notes": "Bundled dependency in NPM via semantic-release chain. Low severity DoS (CWE-400, CWE-1333) in [email protected] parsePatch/applyPatch functions. Cannot be overridden until npm releases updated bundle. Mitigation: Only affects dev dependencies, not production runtime. See GHSA-73rr-hh4g-fpgx",
-    "expiry": "2026-01-30"
+    "notes": "undici is used in @semantic-release/npm and this hasn't been fixed",
+    "expiry": "2026-02-15"
   }
 }