feat(ci): migrate to OIDC Trusted Publishing

- Upgrade Node to v24 for built-in npm 11.x OIDC support
- SHA-pin GitHub Actions to prevent tag hijacking
- Add registry-url for OIDC token configuration
- Remove NPM_TOKEN dependency, use OIDC authentication
- Add skipChecks to release-it (OIDC doesn't support npm whoami)
- Add --ignore-scripts protection for dependency installation

Author: ryota-murakami

.github/actions/prepare/action.yml

@@ -5,15 +5,13 @@ name: Prepare
 runs:
   steps:
     - name: Install pnpm
-      uses: pnpm/action-setup@v4
-      with:
-        version: 10
+      uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
     - name: Use Node.js
-      uses: actions/setup-node@v4
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
       with:
-        node-version: '22'
-        cache: 'pnpm'
+        node-version: '24'
+        registry-url: 'https://registry.npmjs.org'
     - name: Install dependencies
-      run: pnpm install
+      run: pnpm install --frozen-lockfile --ignore-scripts
       shell: bash
   using: composite

.github/workflows/release.yml

@@ -7,7 +7,7 @@ on:
 
 permissions:
   contents: write
-  id-token: write
+  id-token: write # Required for OIDC Trusted Publishing
 
 concurrency:
   cancel-in-progress: true
@@ -17,20 +17,21 @@ jobs:
   release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      # SHA-pinned actions (prevent tag hijacking)
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
           fetch-depth: 0
       - uses: ./.github/actions/prepare
       - run: git config user.name "${{ github.actor }}"
       - run: git config user.email "${{ github.actor }}@users.noreply.github.com"
+
+      # Release with OIDC (NO NPM_TOKEN needed)
+      # ⚠️ Do NOT set NODE_AUTH_TOKEN - OIDC handles auth automatically
       - env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm config set //registry.npmjs.org/:_authToken $NPM_TOKEN
-      - env:
-          GITHUB_TOKEN: ${{ secrets.ACCESS_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         # Check if the latest commit message contains a release tag pattern (e.g., "release v1.2.3")
         # If found, execute release-it without version increment since version was already bumped in the commit
         run: |
           if git log --format=%B -n 1 | grep -E -q 'release v[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}'; then
-            pnpm release-it --no-increment  --verbose
+            pnpm release-it --no-increment --verbose
           fi

.release-it.json

@@ -11,6 +11,7 @@
     "releaseNotes": "git log --no-merges --pretty=format:\"* %s %h\" ${latestTag}...main | grep -v 'release v[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}\\.[0-9]\\{1,3\\}'\n"
   },
   "npm": {
-    "publishArgs": ["--provenance"]
+    "publish": true,
+    "skipChecks": true
   }
 }

package.json

@@ -37,7 +37,7 @@
     "git-gpt": "./index.js"
   },
   "volta": {
-    "node": "22.18.0"
+    "node": "24.13.0"
   },
   "devDependencies": {
     "@laststance/npm-publish-tool": "^1.6.9",