chore: Use trusted publishers in build-release

[aurimasbutkus]

Added a step to update NPM to the latest version before installing dependencies.

Summary by CodeRabbit

• Chores
  • Updated the build and release process to use the latest NPM version during package publishing.

[coderabbitai]

📝 Walkthrough

Walkthrough

Modified the GitHub Actions build-release workflow to update NPM to the latest version before publishing and changed authentication strategy from NODE_AUTH_TOKEN to GITHUB_TOKEN-based authentication in the publish-npmjs job.

Changes

Cohort / File(s)	Summary
GitHub Actions workflow configuration .github/workflows/build-release.yaml	Added npm@latest update step in publish-npmjs job; removed NODE_AUTH_TOKEN environment variable; retained GITHUB_TOKEN-based authentication with formatting adjustments

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The pull request title "chore: Use trusted publishers in build-release" accurately reflects the main objective of the changeset. The primary changes involve removing NPM token-based authentication (NODE_AUTH_TOKEN) and switching to GitHub's trusted publishers authentication mechanism, which aligns directly with the title's focus on implementing trusted publishers. The title is concise, specific, and clearly communicates the security-focused improvement to the build workflow, allowing teammates to understand the change's intent without additional context.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/use-trusted-publishers

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 291e554 and 388449c.

📒 Files selected for processing (1)

• .github/workflows/build-release.yaml (2 hunks)

🔇 Additional comments (2)

.github/workflows/build-release.yaml (2)

42-43: Clarify the intent of the NPM version update and verify necessity.

The step upgrades NPM to the latest version. While this may be needed for full OIDC/provenance support, the rationale should be documented. The setup-node@v4 action (line 37) typically provides a recent NPM version already; verify whether this additional update is necessary.

To confirm the NPM version provided by setup-node@v4 and whether the explicit update is needed, you could run a test build or check the setup-node documentation. If the update is necessary for OIDC/provenance compatibility, consider adding a comment explaining why.

---

28-49: Verify OIDC/trusted publisher configuration is complete before relying on provenance-only auth.

The removal of NODE_AUTH_TOKEN and reliance on --provenance with id-token: write indicates a shift to OIDC-based authentication (trusted publishers), which is more secure than token-based auth. However, this change removes the fallback authentication method.

Ensure the following before merging:

1. Confirm that an .npmrc file exists (either in repo root or elsewhere) configured with OIDC settings (e.g., @hostinger:registry=https://registry.npmjs.org, //registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN} removed, etc.)
2. Verify that the --provenance flag works correctly in the first publish attempt (NPM needs >= 8.16 and proper OIDC configuration)
3. Test or validate that the publish-npmjs workflow succeeds without the explicit NODE_AUTH_TOKEN

If OIDC is not yet configured on the NPM side (e.g., in npm account settings), the publish will fail silently or with unclear errors.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}