chore: switch to npm trusted publishing (OIDC) for releases

- Add id-token: write permission for OIDC token minting
- Replace bun publish with npm publish --provenance --access public
- Add actions/setup-node@v5 with registry-url before publish step
- Move GitHub Release/tag creation after publish to avoid orphaned tags
- Fix repository URL casing to match GitHub (Zendrex, not zendrex)

Author: Zendrex

.github/workflows/release.yml

@@ -15,6 +15,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/ci-setup
@@ -31,32 +32,41 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
-      - name: Create GitHub Release
-        id: github-release
+      - name: Check if release needed
+        id: check-release
         if: steps.changesets.outputs.hasChangesets == 'false'
         run: |
           VERSION=$(jq -r '.version' package.json)
           TAG="v${VERSION}"
 
           if git ls-remote --tags origin "$TAG" | grep -q "$TAG"; then
             echo "Tag $TAG already exists on remote, skipping"
-            echo "released=false" >> "$GITHUB_OUTPUT"
-            exit 0
+            echo "should-release=false" >> "$GITHUB_OUTPUT"
+          else
+            echo "should-release=true" >> "$GITHUB_OUTPUT"
+            echo "tag=$TAG" >> "$GITHUB_OUTPUT"
           fi
 
-          git tag "$TAG"
-          git push origin "$TAG"
-          gh release create "$TAG" --generate-notes --title "$TAG"
-          echo "released=true" >> "$GITHUB_OUTPUT"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Build
-        if: steps.github-release.outputs.released == 'true'
+        if: steps.check-release.outputs.should-release == 'true'
         run: bun run build
 
+      - uses: actions/setup-node@v5
+        if: steps.check-release.outputs.should-release == 'true'
+        with:
+          node-version: lts/*
+          registry-url: https://registry.npmjs.org
+
       - name: Publish to npm
-        if: steps.github-release.outputs.released == 'true'
-        run: bun publish --access public --ignore-scripts
+        if: steps.check-release.outputs.should-release == 'true'
+        run: npm publish --provenance --access public
+
+      - name: Create GitHub Release
+        if: steps.check-release.outputs.should-release == 'true'
+        run: |
+          TAG="${{ steps.check-release.outputs.tag }}"
+          git tag "$TAG"
+          git push origin "$TAG"
+          gh release create "$TAG" --generate-notes --title "$TAG"
         env:
-          NPM_CONFIG_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

package.json

@@ -62,12 +62,12 @@
 	},
 	"repository": {
 		"type": "git",
-		"url": "git+https://github.com/zendrex/annotate.git"
+		"url": "git+https://github.com/Zendrex/annotate.git"
 	},
 	"bugs": {
-		"url": "https://github.com/zendrex/annotate/issues"
+		"url": "https://github.com/Zendrex/annotate/issues"
 	},
-	"homepage": "https://github.com/zendrex/annotate#readme",
+	"homepage": "https://github.com/Zendrex/annotate#readme",
 	"keywords": [
 		"typescript",
 		"decorators",