Enable trusted publishing for npm releases

[Copilot]

Plan: Enable Trusted Publishing for Package Releases via GitHub

• Update .github/workflows/release-please.yml to add id-token: write permission for trusted publishing
• Update actions/setup-node@v4 to use always-auth: true for trusted publishing
• Remove the NODE_AUTH_TOKEN secret usage and replace with trusted publishing
• Create documentation file explaining the trusted publishing setup
• Verify the workflow configuration matches npm trusted publisher requirements
• Run code review to ensure changes are correct
• Run security checks with CodeQL
• Address review feedback and add safety notes
• Fix prettier formatting with correct version (2.8.3)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Enable Trusted Publishing for Package Releases via GitHub</issue_title>
<issue_description>## Goal
Adopt GitHub's trusted publishing workflow to securely publish packages, updating the release automation to leverage GitHub's built-in infrastructure.

Tasks

• Update the release-please.yml configuration file to:
  • Add required permissions for trusted publishing
  • Setup authentication to enable trusted publishing from GitHub Actions
  • Document the new setup and relevant configuration steps in the file or repo docs
• Verify permissions grant only the minimum scope needed for release workflow (e.g., id-token: write, contents: read)
• Test package publishing flow using trusted publishing
• Reference official docs and confirm latest requirements: https://docs.github.com/en/actions/publishing-packages/publishing-nodejs-packages/publishing-nodejs-packages-from-github-actions

Context

Switching to trusted publishing improves supply chain security and aligns with GitHub best practices for automated package releases.

Acceptance Criteria

• release-please.yml is updated with trusted publishing permissions
• Setup instructions are documented
• Release flow is tested and confirmed

---

If additional repository secrets or GitHub workflows are impacted, please note and review for security.</issue_description>

<agent_instructions>see instructions here https://docs.npmjs.com/trusted-publishers</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Enable Trusted Publishing for Package Releases via GitHub #722

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[NoopDog]

@copilot run prettier on the markdown file

[Copilot]

@copilot run prettier on the markdown file

Done in commit 65c1f17. Prettier adjusted the spacing in inline comments within the YAML code blocks.

[NoopDog]

@copilot [warn] docs/TRUSTED_PUBLISHING.md has prettier errors

[Copilot]

@copilot [warn] docs/TRUSTED_PUBLISHING.md has prettier errors

Fixed in commit 2d6b548. The issue was using npx prettier (v3.7.4) instead of the project's version (v2.8.3). The project's prettier version requires a blank line between numbered list items and nested bullet lists.

[frano-m]

LGTM! 🌮