Move to trusted publisher

https://docs.npmjs.com/trusted-publishers

Author: JamesPHoughton

.github/workflows/publish.yml

@@ -1,23 +1,22 @@
-name: Publish package to GitHub Packages
+name: Publish package to npm (trusted publisher)
 on:
   push:
     branches:
       - main
+permissions:
+  contents: read
+  id-token: write # required for npm trusted publisher (OIDC)
 jobs:
   build:
-    runs-on: ubuntu-latest 
-    permissions: 
-      contents: read
-      packages: write 
+    runs-on: ubuntu-latest
+
     steps:
-      - uses: actions/checkout@v3
-      # Setup .npmrc file to publish to GitHub Packages
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
         with:
-          node-version: '18.x'
-          registry-url: 'https://registry.npmjs.org'
+          node-version: "18.x"
+          registry-url: "https://registry.npmjs.org"
       - run: npm ci
       - run: npm run build
-      - run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      # OIDC auth + provenance; no token needed when using trusted publishers
+      - run: npm publish --provenance --access public