From 63a7dac198f5ce71c477699aaafc6ebb2f04577a Mon Sep 17 00:00:00 2001
From: Gregory Nakaki <gregory.nakaki@viasat.com>
Date: Mon, 23 Mar 2026 13:15:04 -0700
Subject: [PATCH] GHA: Bump to 2.6.4 and use OIDC when publishing to npm

Switching npm publishing to use OIDC will resolve an issue where
the existing access token is no longer valid while also preventing
a need to manage token rotation. We also update node to 24.x as
20 is EOL on April 30, 2026.

Version 2.6.3 was released as an intermediate test in development.
---
 .github/workflows/push.yml | 18 ++++++++++++------
 package-lock.json          |  4 ++--
 package.json               |  2 +-
 3 files changed, 15 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/push.yml b/.github/workflows/push.yml
index b7f7b16..c7bcaf3 100644
--- a/.github/workflows/push.yml
+++ b/.github/workflows/push.yml
@@ -62,21 +62,27 @@ jobs:
     needs: [ check-release ]
     name: Release NPM
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout Repository
         uses: actions/checkout@v4
         with: { submodules: 'recursive', fetch-depth: 0 }
 
-      # Setup .npmrc file to publish to npm
-      - uses: actions/setup-node@v4
+      - name: Setup Node
+        uses: actions/setup-node@v4
         with:
-          node-version: '20.x'
+          node-version: '24.x'
           registry-url: 'https://registry.npmjs.org'
-          scope: ''
+
+      - name: Upgrade npm to support OIDC
+        run: |
+          npm install -g npm@11.12.0
+          node --version
+          npm --version
 
       - run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
   release-docker-hub:
     needs: [ check-release ]
diff --git a/package-lock.json b/package-lock.json
index b4b7ef9..0532a61 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "conlink",
-  "version": "2.6.2",
+  "version": "2.6.4",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "conlink",
-      "version": "2.6.2",
+      "version": "2.6.4",
       "license": "SEE LICENSE IN LICENSE",
       "dependencies": {
         "@lonocloud/resolve-deps": "^0.1.0",
diff --git a/package.json b/package.json
index bd9fe47..6529bb4 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "conlink",
-  "version": "2.6.2",
+  "version": "2.6.4",
   "description": "conlink -  Declarative Low-Level Networking for Containers",
   "repository": "https://github.com/Viasat/conlink",
   "license": "SEE LICENSE IN LICENSE",