ci: switch release workflow to npm trusted publishing (OIDC) (#18)

Co-authored-by: Daniel Clayton <dan@Daniels-Mac-mini.local>

Author: danbot315

.github/workflows/release.yml

@@ -10,6 +10,7 @@ concurrency:
 
 permissions:
   contents: write
+  id-token: write
 
 jobs:
   release:
@@ -25,6 +26,12 @@ jobs:
         with:
           bun-version: 1.2.22
 
+      - name: Setup Node.js for npm Trusted Publishing
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
       - name: Install dependencies
         run: bun install --frozen-lockfile
 
@@ -46,19 +53,11 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: bun run changeset:version
 
-      - name: Configure npm auth for npmjs
-        if: steps.changesets.outputs.count != '0'
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
-        run: |
-          echo "registry=https://registry.npmjs.org" >> ~/.npmrc
-          echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" >> ~/.npmrc
-
-      - name: Publish packages
+      - name: Publish packages (npm trusted publishing)
         if: steps.changesets.outputs.count != '0'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_AUTH_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
         run: bun run changeset:publish
 
       - name: Commit version updates to main