ci: use Node 24 and scope id-token permission to job

Node 24 is required for npm's OIDC-based provenance publishing.
Moved id-token: write to the job level to follow least-privilege practice.

Co-Authored-By: Claude <noreply@anthropic.com>

Author: vinta

.github/workflows/publish.yml

@@ -6,11 +6,12 @@ on:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@v6
 
@@ -42,7 +43,7 @@ jobs:
 
       - uses: actions/setup-node@v6
         with:
-          node-version: '22'
+          node-version: '24'
           registry-url: 'https://registry.npmjs.org'
 
       - run: npm publish --provenance --access public