AB#95879 Switch to OIDC for NPMJS Auth.

[buckett]

For publishing we would have to use very short lived tokens, so we switch to OIDC which means we don't need tokens.

We bump the node version to get the version of npm that supports this.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[Copilot]

Pull Request Overview

This PR switches from NPM token-based authentication to OpenID Connect (OIDC) for publishing packages to npmjs.com, eliminating the need for storing long-lived tokens. It also updates the Node.js version to support the required npm features.

• Removes NPM token authentication in favor of OIDC authentication
• Updates Node.js version from 22 to 24.10.0 to get npm version with OIDC support
• Adds required OIDC permissions to the GitHub workflow

Reviewed Changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.

File	Description
.nvmrc	Updates Node.js version to 24.10.0 for npm OIDC support
.github/workflows/release-tags.yml	Configures OIDC permissions and removes NPM token authentication

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[Copilot]

The npm publish command needs to be configured to use OIDC authentication. You should add the --provenance flag to enable npm's built-in OIDC support, which will automatically use the GitHub OIDC token for authentication.

Suggested change

	- run: npm publish --access public
	- run: npm publish --access public --provenance

[buckett]

It's strange that https://docs.npmjs.com/trusted-publishers doesn't mention this.

[buckett]

The docs say:

   provenance

       •   Default: false

       •   Type: Boolean

       When publishing from a supported cloud CI/CD system, the package will be publicly linked to where it was built and
       published from.