feat: enable npm Trusted Publishers

[nicknisi]

Enables npm Trusted Publishers for secure publishing without manual token management.

Changes:

• Update Node version to 24 (required for npm 11+)
• Add id-token: write permission for OIDC authentication
• Add --provenance flag to publish commands
• Remove NODE_AUTH_TOKEN environment variable (no longer needed)

Benefits:

• More secure authentication using OIDC
• Cryptographic provenance for published packages
• No need to manage NPM_TOKEN secrets

[greptile-apps]

Greptile Summary

This PR successfully migrates npm package publishing from manual token-based authentication to OIDC-based Trusted Publishers, significantly improving security.

Key changes:

• Upgraded Node.js from 18 to 24 (required for npm 11+ with Trusted Publishers support)
• Added id-token: write permission to enable OIDC token requests
• Added --provenance flag to both regular and pre-release publish commands for cryptographic attestation
• Removed NODE_AUTH_TOKEN environment variable (replaced by OIDC authentication)

Security improvements:

• Eliminates long-lived npm tokens that could be compromised
• Uses short-lived OIDC tokens with automatic rotation
• Provides cryptographic provenance for supply chain verification
• Ties publishing directly to GitHub Actions workflow identity

The implementation is clean and follows npm's best practices for Trusted Publishers. No issues found.

Confidence Score: 5/5

• This PR is safe to merge with no risk
• The changes are minimal, well-understood, and follow npm's official guidance for Trusted Publishers. The migration from token-based auth to OIDC improves security posture with no functionality changes. Node 24 upgrade is required and well-tested.
• No files require special attention

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Migrated from NPM_TOKEN secret to OIDC-based Trusted Publishers with provenance, upgraded Node to 24

Sequence Diagram

sequenceDiagram
    participant GHA as GitHub Actions
    participant GHOIDC as GitHub OIDC Provider
    participant NPM as npm Registry
    
    Note over GHA: Workflow triggered on release
    GHA->>GHA: Checkout code
    GHA->>GHA: Setup Node 24
    GHA->>GHA: Install dependencies & run tests
    
    Note over GHA,NPM: Publishing with Trusted Publishers
    GHA->>GHOIDC: Request OIDC token (with id-token: write permission)
    GHOIDC->>GHA: Return JWT token
    GHA->>NPM: npm publish --provenance
    Note over GHA,NPM: Token includes repository, workflow, and commit info
    NPM->>NPM: Verify OIDC token against configured Trusted Publisher
    NPM->>NPM: Generate cryptographic provenance
    NPM->>GHA: Publish successful
    Note over NPM: Package published with provenance attestation

Loading

[greptile-apps]

_{1 file reviewed, no comments}

_{Edit Code Review Agent Settings | Greptile}