chore: switch npm publish to trusted publishing and bump Node to 24

[tomusdrw]

Summary

• Switch npm publish from NPM_TOKEN secret to OIDC trusted publishing (--provenance + id-token: write)
• Bump Node.js from 22 to 24 across all workflows, Dockerfiles, and .node-version
• Simplify engines field to >=22.12.0 (drops Node 20 support)
• Bump GitHub Actions to latest majors: configure-pages v6, upload-pages-artifact v4, deploy-pages v5, upload-artifact v7

Test plan

• Verify CI workflows pass with Node 24
• Trigger a release and confirm npm publish succeeds via trusted publishing

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated Node.js runtime from v22 to v24 across development, CI, Docker, and deployment environments.
  • Upgraded GitHub Actions and pipeline tooling to newer action versions for CI/CD.
  • Tightened Node engine requirement to >=22.12.0 (removed Node 20.x compatibility).
  • Added package repository metadata and adjusted publish/check steps and workflow permissions for release validation.

[netlify]

✅ Deploy Preview for graypaper-reader ready!

Name	Link
🔨 Latest commit	192a898
🔍 Latest deploy log	https://app.netlify.com/projects/graypaper-reader/deploys/69d6569f047d7b0008dd0221
😎 Deploy Preview	https://deploy-preview-401--graypaper-reader.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 473aea6c-1536-4979-901a-4aa85b15c2c2

📥 Commits

Reviewing files that changed from the base of the PR and between e1f7632 and 192a898.

⛔ Files ignored due to path filters (6)

• tools/snapshot-tests/tests/split-screen.spec.ts-snapshots/split-header-options-menu-dark-mode-linux.png is excluded by !**/*.png
• tools/snapshot-tests/tests/split-screen.spec.ts-snapshots/split-header-options-menu-light-mode-linux.png is excluded by !**/*.png
• tools/snapshot-tests/tests/split-screen.spec.ts-snapshots/split-header-version-dropdown-dark-mode-linux.png is excluded by !**/*.png
• tools/snapshot-tests/tests/split-screen.spec.ts-snapshots/split-header-version-dropdown-light-mode-linux.png is excluded by !**/*.png
• tools/snapshot-tests/tests/split-screen.spec.ts-snapshots/split-sidebar-overlay-closed-dark-mode-linux.png is excluded by !**/*.png
• tools/snapshot-tests/tests/split-screen.spec.ts-snapshots/split-view-via-url-dark-mode-linux.png is excluded by !**/*.png

📒 Files selected for processing (3)

• .github/workflows/node.js.yml
• shared/links-metadata/package.json
• tools/links-check/package.json

✅ Files skipped from review due to trivial changes (2)

• shared/links-metadata/package.json
• tools/links-check/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/node.js.yml

---

📝 Walkthrough

Walkthrough

Node.js runtime bumped from 22 → 24 across CI workflows, Dockerfiles, and .node-version; GitHub Actions usages upgraded in deploy and visual-regression workflows; publish workflow gains explicit permissions and --provenance publish flags while removing NODE_AUTH_TOKEN; two package.json files gained repository metadata; package.json engines tightened to >=22.12.0.

Changes

Cohort / File(s)	Summary
CI Workflows (Node runtime bumps) .github/workflows/links-checker.yml, .github/workflows/matrix-bot.yml, .github/workflows/node.js.yml, .github/workflows/deploy.yml, .github/workflows/publish.yml	Updated Node.js runtime from 22 → 24 via actions/setup-node; .github/workflows/deploy.yml also upgraded Pages-related actions versions.
Publish workflow adjustments .github/workflows/publish.yml	Added explicit job permissions: contents: read, id-token: write; publish steps now use npm publish --provenance --access public and removed NODE_AUTH_TOKEN env usage.
Visual-regression artifact action .github/workflows/visual-regression.yml	Upgraded actions/upload-artifact from v6 → v7 for Playwright report upload; logic unchanged.
Node version config files .node-version, package.json	.node-version changed to 24; package.json engines.node tightened from `>=20.19.0 <21
Docker base images Dockerfile.snapshot-tests, tools/matrix-bot/Dockerfile	Switched Node base from 22 → 24 (NodeSource repo URL and node:22-slim → node:24-slim).
Package metadata additions shared/links-metadata/package.json, tools/links-check/package.json	Added repository field (git URL + repository.directory) to these package.json files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• fix: add missing @types/node to links-metadata, build packages in CI #398: Modifies the same node.js.yml publish/build flow touching shared/links-metadata and tools/links-check.
• chore: upgrade GitHub Actions to latest versions #379: Bumps GitHub Actions versions across workflows, overlapping with action-version updates in this PR.

Poem

🐰 I hopped from twenty-two to twenty-four,

Docker coats shiny, actions updated more,
Permissions set, provenance in tow,
Two packages now point where they grow,
A tiny hop, a big workflow roar ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title clearly summarizes the two main changes: switching to npm trusted publishing and bumping Node.js to version 24, which aligns with the primary objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch td-npm-trusted-publish

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

Visual Regression Test Report ✅ Passed

Github run id: 24137496049

🔗 Artifacts: Download

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.github/workflows/node.js.yml (1)

21-21: Align tested Node versions with declared engine support.

The package.json declares engines.node: >=22.12.0, but all CI workflows test only Node 24. This gap can allow Node 22.12–23.x regressions to slip into releases while still advertising support. Either add Node 22 to the CI matrix or tighten the engine declaration to >=24.0.0.

Proposed workflow adjustment (option a)

 jobs:
   build:
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [22, 24]

     steps:
       - uses: actions/checkout@v6
       - name: Use Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: 24
+          node-version: ${{ matrix.node-version }}
           cache: "npm"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/node.js.yml at line 21, The CI is testing only
node-version: 24 while package.json declares engines.node: >=22.12.0; align them
by either (A) adding Node 22 (and optionally 23) to the GitHub Actions matrix by
changing node-version to a list that includes 22 (e.g., ["22", "24"]) so CI runs
the lowest declared supported runtime, or (B) tighten the engine declaration in
package.json to ">=24.0.0" if you intend to only support Node 24+; update
whichever you choose and ensure the symbol node-version in the workflow and the
engines.node field in package.json match.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/publish.yml:
- Around line 40-45: The published packages shared/links-metadata and
tools/links-check are missing the repository metadata required for OIDC/trusted
publishing; open each package.json in the directories referenced
(shared/links-metadata and tools/links-check) and add a "repository" entry
(either a string or object with "type": "git" and "url":
"https://github.com/your-org/your-repo.git") so npm can verify the repository
during the npm publish steps; ensure the URL points to this repo and commit the
changes before the workflow runs.

---

Nitpick comments:
In @.github/workflows/node.js.yml:
- Line 21: The CI is testing only node-version: 24 while package.json declares
engines.node: >=22.12.0; align them by either (A) adding Node 22 (and optionally
23) to the GitHub Actions matrix by changing node-version to a list that
includes 22 (e.g., ["22", "24"]) so CI runs the lowest declared supported
runtime, or (B) tighten the engine declaration in package.json to ">=24.0.0" if
you intend to only support Node 24+; update whichever you choose and ensure the
symbol node-version in the workflow and the engines.node field in package.json
match.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 2dd253bf-1fa0-4b70-81b9-50f3feec2c65

📥 Commits

Reviewing files that changed from the base of the PR and between 31dd45b and e1f7632.

📒 Files selected for processing (10)

• .github/workflows/deploy.yml
• .github/workflows/links-checker.yml
• .github/workflows/matrix-bot.yml
• .github/workflows/node.js.yml
• .github/workflows/publish.yml
• .github/workflows/visual-regression.yml
• .node-version
• Dockerfile.snapshot-tests
• package.json
• tools/matrix-bot/Dockerfile