chore: migrate to OIDC Trusted Publishing for npm releases

- Remove classic npm token authentication
- Configure OIDC Trusted Publishing workflow
- Update release workflow to use id-token permissions
- Remove NPM_TOKEN secret dependency

References:
- https://github.blog/changelog/2025-12-09-npm-classic-tokens-revoked-session-based-auth-and-cli-token-management-now-available/
- https://docs.npmjs.com/trusted-publishers/
- https://github.blog/changelog/2025-07-31-npm-trusted-publishing-with-oidc-is-generally-available/

This migration improves security by removing the need for long-lived
npm tokens and leveraging GitHub's OIDC provider for authentication.

Author: sectsect

.github/workflows/release.yml

@@ -11,6 +11,7 @@ permissions:
   contents: write
   pull-requests: write
   packages: write
+  id-token: write
 
 jobs:
   release:
@@ -30,10 +31,11 @@ jobs:
         with:
           version: 10.22.0
 
-      - name: Setup Node.js 21.x
+      - name: Setup Node.js 24.x
         uses: actions/setup-node@v4
         with:
-          node-version: 21.x
+          node-version: 24.x
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install Dependencies
         run: pnpm i --frozen-lockfile
@@ -87,7 +89,6 @@ jobs:
           title: 'chore: release package(s)'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       # - name: Send a Slack notification if a publish happens
       #   if: steps.changesets.outputs.published == 'true'

.npmrc

@@ -1 +1,2 @@
 auto-install-peers = true
+provenance=true