feat: enable npm Trusted Publishers

[nicknisi]

Enables npm Trusted Publishers for secure publishing without manual token management.

Changes:

• Update Node version to 24 (required for npm 11+)
• Add id-token: write permission for OIDC authentication
• Add --provenance flag to publish commands
• Remove NODE_AUTH_TOKEN environment variable (no longer needed)

Benefits:

• More secure authentication using OIDC
• Cryptographic provenance for published packages
• No need to manage NPM_TOKEN secrets

[greptile-apps]

Greptile Summary

Migrated npm publishing from manual token authentication to npm Trusted Publishers using OIDC.

Changes:

• Upgraded to Node 24 (required for npm 11+ which supports Trusted Publishers)
• Added id-token: write permission for OIDC token exchange
• Removed NODE_AUTH_TOKEN environment variable and NPM_TOKEN secret dependency
• Added --provenance flag to generate cryptographic attestations for published packages

Security improvements:

• Eliminates long-lived npm tokens from GitHub secrets
• Uses short-lived OIDC tokens that are automatically rotated
• Provides cryptographic proof of package origin and build process
• Reduces attack surface by removing manual credential management

Confidence Score: 5/5

• This PR is safe to merge with minimal risk
• The changes are well-scoped, follow npm's official Trusted Publishers implementation pattern, and improve security by replacing long-lived tokens with OIDC authentication. The Node 24 upgrade is necessary and appropriate for npm 11+ support. All required permissions are correctly configured.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Updated to Node 24 with OIDC authentication, removed manual token management, added --provenance flag

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant GHOIDC as GitHub OIDC Provider
    participant npm as npm Registry
    
    Note over GHA,npm: Release Workflow Triggered
    
    GHA->>GHA: Checkout code
    GHA->>GHA: Setup Node 24
    GHA->>GHA: Install dependencies
    GHA->>GHA: Build project
    
    alt Release (not prerelease)
        GHA->>GHOIDC: Request OIDC token
        GHOIDC-->>GHA: Return OIDC token
        GHA->>npm: Publish with --provenance (OIDC auth)
        npm-->>npm: Verify token & generate attestation
        npm-->>GHA: Package published with provenance
    else Pre-release
        GHA->>GHOIDC: Request OIDC token
        GHOIDC-->>GHA: Return OIDC token
        GHA->>npm: Publish --tag next with --provenance (OIDC auth)
        npm-->>npm: Verify token & generate attestation
        npm-->>GHA: Package published with provenance
    end

Loading

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}