fix: enable npm provenance with OIDC trusted publishing

- Added NPM_CONFIG_PROVENANCE for signed npm packages
- Added OIDC documentation comment to workflow

Author: Schero94

.github/workflows/semantic-release.yml

@@ -5,14 +5,17 @@ on:
     branches:
       - main
 
+# OIDC Trusted Publishing - npm provenance for signed packages
+# See: https://docs.npmjs.com/generating-provenance-statements
+
 jobs:
   release:
     runs-on: ubuntu-latest
     permissions:
       contents: write
       issues: write
       pull-requests: write
-      id-token: write
+      id-token: write  # Required for OIDC trusted publishing
 
     steps:
       - name: Checkout
@@ -41,4 +44,5 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
         run: npx semantic-release