Merge pull request #5 from No898/update

Prepare 2.2.0 release

Author: No898

.github/workflows/ci.yml

@@ -36,15 +36,16 @@ jobs:
 
     permissions:
       contents: read
+      id-token: write
 
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
 
-      - name: Use Node.js from .nvmrc
+      - name: Use Node.js for trusted publishing
         uses: actions/setup-node@v4
         with:
-          node-version-file: ".nvmrc"
+          node-version: "24"
           cache: npm
           registry-url: "https://registry.npmjs.org"
 
@@ -71,5 +72,3 @@ jobs:
       - name: Publish to npm
         if: steps.release_state.outputs.should_publish == 'true'
         run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

README.md

@@ -332,14 +332,22 @@ Update the package version, then merge the change into `main` or `master`.
 
 The release workflow runs only on pushes to `main` and `master`, plus manual dispatches from those branches. It publishes only when `package.json` is ahead of the current npm version, so routine merges without a version bump are skipped cleanly.
 
+Publishing uses npm trusted publishing via GitHub Actions OIDC. Configure the package on npm with:
+
+- publisher: `GitHub Actions`
+- organization or user: `No898`
+- repository: `RocketCursor`
+- workflow filename: `ci.yml`
+- environment name: leave empty unless you use a protected GitHub Actions environment
+
 Recommended flow:
 
 - run `npm run version:patch`, `npm run version:minor`, or `npm run version:major`
 - commit the version bump
 - merge the branch into `main` or `master`
 - let GitHub Actions publish automatically, or trigger the release workflow manually from `main`/`master`
 
-The release workflow expects an `NPM_TOKEN` repository secret with publish access.
+After trusted publishing is configured, you do not need an `NPM_TOKEN` secret for releases.
 
 If you want to verify the version manually before tagging, run: