fix: enable trusted npm publish

[Dhruv2mars]

Summary

• switch npm trusted publishing path to use provenance like mdv
• opt workflows into Node 24 for GitHub action runtime warnings
• update workflow contract tests for the fixed publish path

Verify

• bun run --filter @dhruv2mars/codexchat test
• bun run check
• failed release run 23333379957 showed npm trusted publisher path without provenance hit ENEEDAUTH

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c7246e3d-c365-431f-a445-e55328fa1aeb

📥 Commits

Reviewing files that changed from the base of the PR and between 799f1a7 and 77190a5.

📒 Files selected for processing (3)

• .github/workflows/ci.yml
• .github/workflows/release.yml
• packages/cli/test/release-contract.test.js

---

📝 Walkthrough

Walkthrough

The pull request introduces a workflow-level environment variable FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true to both the CI and release GitHub Actions workflows, configuring JavaScript actions to use Node 24. Additionally, the release workflow's npm publish command is updated to include the --provenance flag, enabling provenance metadata generation during package publication. The corresponding release contract test is updated to verify both the new provenance flag in the publish command and the presence of the Node 24 environment variable.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/npm-trusted-publish

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}