feat: migrate to npm trusted publishers (OIDC)

- Add id-token: write permission for OIDC authentication
- Remove NPM_TOKEN secret dependency
- Upgrade to Node.js 20 and latest npm (>= 11.5.1)
- Add --provenance flag for package attestation
- Aligns with TypeScript SDK trusted publisher configuration

Author: nicolaiarocci

.github/workflows/release.yml

@@ -26,16 +26,22 @@ jobs:
   npm-publish:
     needs: github-release
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - name: Checkout
         uses: actions/checkout@v4
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '20'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Upgrade npm to latest
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: npm install
 
@@ -53,6 +59,4 @@ jobs:
           fi
 
       - name: Publish to NPM
-        run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --provenance --access public