enable npm trusted publishing

switch from token-based auth to OIDC provenance for npm publishes

Author: peteretelej

.github/workflows/release.yml

@@ -147,18 +147,17 @@ jobs:
     runs-on: ubuntu-latest
     needs: test
     if: startsWith(github.ref, 'refs/tags/v')
-    environment:
-      name: npm
-      url: https://www.npmjs.com/package/directory-indexer
-
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "18"
+          node-version: "22"
           registry-url: "https://registry.npmjs.org"
           cache: "npm"
 
@@ -172,6 +171,4 @@ jobs:
         run: npm pack --dry-run
 
       - name: Publish to npm
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --provenance --access public

package.json

@@ -42,6 +42,10 @@
   "engines": {
     "node": ">=18.0.0"
   },
+  "publishConfig": {
+    "provenance": true,
+    "access": "public"
+  },
   "files": [
     "dist/",
     "bin/"