feat: enable npm Trusted Publishers

[nicknisi]

Enables npm Trusted Publishers for secure publishing without manual token management.

Changes:

• Update Node version to 24 (required for npm 11+)
• Add id-token: write permission for OIDC authentication
• Add --provenance flag to publish commands
• Remove NODE_AUTH_TOKEN environment variable (no longer needed)

Benefits:

• More secure authentication using OIDC
• Cryptographic provenance for published packages
• No need to manage NPM_TOKEN secrets

[greptile-apps]

Greptile Summary

This PR migrates npm publishing from token-based authentication to OIDC-based Trusted Publishers, improving security by eliminating the need to manage NPM_TOKEN secrets.

• Added id-token: write permission required for OIDC authentication with npm
• Added --provenance flag to publish commands for cryptographic package attestation
• Removed NODE_AUTH_TOKEN environment variable (no longer needed with Trusted Publishers)
• Updated Node version from 18 to 24 (required for npm 11+ which supports Trusted Publishers)

Note: This requires npm Trusted Publishers to be configured on the npm registry side for the @workos-inc/authkit-react package.

Confidence Score: 4/5

• This PR is safe to merge, implementing a standard npm Trusted Publishers setup with correct OIDC permissions.
• Score of 4 reflects a well-implemented security improvement. The configuration follows npm's recommended Trusted Publishers pattern correctly. Minor deduction for Node version inconsistency between CI (20) and release (24) workflows, which could mask compatibility issues.
• Verify npm Trusted Publishers is configured on the npm registry for this package before merging.

Important Files Changed

Filename	Overview
.github/workflows/release.yml	Migrates to npm Trusted Publishers with OIDC auth, adds provenance flag, and updates Node to v24. Configuration is correct for Trusted Publishers.

Sequence Diagram

sequenceDiagram
    participant GH as GitHub Actions
    participant OIDC as GitHub OIDC Provider
    participant NPM as npm Registry

    GH->>GH: Release event triggers workflow
    GH->>GH: Checkout & setup Node 24
    GH->>GH: npm install & build
    GH->>OIDC: Request OIDC token (id-token: write)
    OIDC-->>GH: Return signed JWT
    GH->>NPM: npm publish --provenance (with OIDC token)
    NPM->>NPM: Verify OIDC token against Trusted Publishers
    NPM->>NPM: Generate provenance attestation
    NPM-->>GH: Publish successful

Loading

[greptile-apps]

_{1 file reviewed, 2 comments}

_{Edit Code Review Agent Settings | Greptile}

[greptile-apps]

style: CI workflow uses Node 20, but release uses Node 24. Consider aligning versions to catch potential compatibility issues during CI before release.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 25:25

Comment:
**style:** CI workflow uses Node 20, but release uses Node 24. Consider aligning versions to catch potential compatibility issues during CI before release.

How can I resolve this? If you propose a fix, please make it concise.

[greptile-apps]

style: Job name test is misleading since it publishes to NPM. Consider renaming to publish or release for clarity.

Prompt To Fix With AI

This is a comment left during a code review.
Path: .github/workflows/release.yml
Line: 15:15

Comment:
**style:** Job name `test` is misleading since it publishes to NPM. Consider renaming to `publish` or `release` for clarity.

How can I resolve this? If you propose a fix, please make it concise.