Implement npm trusted publishing

[Copilot]

Plan: Implement npm Trusted Publishing ✅

• Update all actions/setup-node to version v6 (updated from v1, v2, and v3.1.1)
• Add npm 11.5.1 installation step after setup-node in build-to-npm job
• Set permissions on the build-to-npm job for trusted publishing (id-token: write, contents: read, packages: write)
• Remove NPM_TOKEN authentication from build-to-npm job
• Set NODE_AUTH_TOKEN="" when publishing to npm
• Bump version in package.json (from 2.3.0 to 2.3.1)
• Keep NPM_TOKEN authentication for GitHub packages (no changes to build-to-github-packages)
• Fix prettier formatting issues (single quotes for NODE_AUTH_TOKEN)
• Verify the changes work correctly (code review passed, security check passed)

Summary of Changes

Workflow Changes (.github/workflows/ci.yml):

1. Updated all actions/setup-node to v6 across all jobs:

   • build-and-upload-artifacts: v3.1.1 → v6
   • run-mocha: v1 → v6
   • run-depcheck: v1 → v6
   • run-pre-commits: v1 → v6
   • build-to-npm: v2 → v6
   • build-to-github-packages: v2 → v6

2. Configured build-to-npm job for trusted publishing:

   • Added permissions block (id-token: write, contents: read, packages: write)
   • Added npm 11.5.1 installation step after setup-node with references to npm docs
   • Removed NPM_TOKEN authentication configuration
   • Added NODE_AUTH_TOKEN: '' environment variable to publish step

3. Preserved GitHub Packages authentication:

   • Left build-to-github-packages job unchanged except for setup-node version
   • NPM_TOKEN authentication still used for GitHub packages as required

Package Changes:

• Bumped version from 2.3.0 to 2.3.1 in package.json

Security Summary

✅ No security vulnerabilities detected by CodeQL analysis

Original prompt

---

This section details on the original issue you should resolve

<issue_title>@copilot use npm trusted publishing</issue_title>
<issue_description>- make sure we use actions/setup-node@v6, not older versions

• after calling setup-node, run this code:

    # See: https://docs.npmjs.com/trusted-publishers
    # See: https://github.com/actions/setup-node/issues/1445
    - name: Set npm to version that supports trusted publishers
      run: npm install -g npm@11.5.1
      shell: bash

• set permissions on the github workflow to:

permissions:
  id-token: write
  contents: read
  packages: write

• when calling pnpm publish to npm, set NODE_AUTH_TOKEN=""
• bump the version in package.json
• remove npm authentication using NPM_TOKEN, such as:

  - name: Configure npm authentication
        run: |
          pnpm config set always-auth true
          pnpm config set //registry.npmjs.org/:_authToken "${{ secrets.NPM_TOKEN }}"

This should only be removed for npm publishing, not to github packages</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes @copilot use npm trusted publishing #29

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[dmattia]

updated: https://www.npmjs.com/package/@transcend-io/internationalization/access

[dmattia]

@copilot run pre-commit run -a for prettier, or fix the outputs of https://github.com/transcend-io/internationalization/actions/runs/20354808594/job/58488313177?pr=30

[Copilot]

@copilot run pre-commit run -a for prettier, or fix the outputs of https://github.com/transcend-io/internationalization/actions/runs/20354808594/job/58488313177?pr=30

Fixed in 40422e1. Changed NODE_AUTH_TOKEN: "" to NODE_AUTH_TOKEN: '' to satisfy prettier formatting.