ci(release): switch to npm trusted publishing (OIDC)

[yurenju]

@

Summary

Retires the long-lived NPM_TOKEN secret in favour of npm Trusted Publishing (OIDC). After this merges + the npm UI side is configured, the release workflow authenticates to npm via a short-lived OIDC token issued per workflow run — there is no long-lived secret to leak or rotate.

What changes in release.yml

• Add npm install -g npm@latest step before npm ci to guarantee npm ≥ 11.5.1 (the minimum that understands the OIDC token exchange). Runner-bundled npm can lag behind even on Node 24.
• Add --provenance to npm publish (both dry-run and real). npm docs claim provenance is automatic under trusted publishing, but real-world reports (e.g. Phil Nash, 2026-01-28) show the flag is still required to actually emit the attestation. Defensive flag — does nothing harmful when redundant.
• Remove the env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} block from the Publish step. With OIDC the npm CLI exchanges the id-token automatically; supplying a _authToken would actually fall back to classic auth and skip OIDC.

permissions: id-token: write was already in place from a previous unrelated change — no change to permissions needed.

Operator checklist before merging

The trusted-publisher configuration on the npm side must be in place before this can publish successfully. The configuration was set up at:

• https://www.npmjs.com/package/@wspc/cli/access → Trusted Publishers → GitHub Actions
• Organization: sadcoderlabs
• Repository: wspc-cli
• Workflow filename: release.yml
• Environment: (none)
• Allowed action: npm publish

After merge

1. Re-run the failed v0.0.3 release: https://github.com/sadcoderlabs/wspc-cli/actions/runs/26509550425 — Re-run failed jobs. With the merged workflow + trusted-publisher config in place, npm publish --provenance should succeed.
2. Revoke the old npm token: https://www.npmjs.com/settings//tokens — delete the wspc-cli automation token. With OIDC there is nothing for it to authenticate.
3. Delete the GitHub secret: https://github.com/sadcoderlabs/wspc-cli/settings/secrets/actions — remove NPM_TOKEN.

Why this is safer

	Classic / Automation token	Trusted Publishing (OIDC)
Long-lived secret stored in GH	Yes	No
Leak surface	Anywhere the secret reaches: log, env, container	None — token is minted at job start, dies at job end
Rotation burden	Manual every N months	None
Provenance	Manual --provenance flag	Automatic (with --provenance for safety)
Revoking access	Revoke token in npm	Edit npm trusted-publisher config (no token to leak)

Sources:

• Trusted publishing for npm packages — npm Docs
• npm trusted publishing with OIDC is generally available — GitHub Changelog, 2025-07-31
• Things you need to do for npm trusted publishing to work — Phil Nash, 2026-01-28
  @