fix: wire up Node 24 + setup-node for npm trusted publishing

[jbrejner]

Summary

• Adds actions/setup-node@v4 (Node 24) with registry-url: https://registry.npmjs.org to the goreleaser job
• This wires up the OIDC-based registry auth that npm trusted publishing requires, without needing NPM_TOKEN or per-package .npmrc files
• The id-token: write permission was already present on the job; the missing piece was setup-node to configure the registry endpoint

Root cause

The previous commit (#843) correctly removed the .npmrc files and NPM_TOKEN, but npm trusted publishing requires Node ≥ 22.14.0, npm ≥ 11.5.1, and actions/setup-node with a registry-url to configure OIDC auth. Without setup-node, the runner had no registry config at all → ENEEDAUTH on every npm publish attempt.

Test plan

• Trigger a release and verify npm packages publish successfully without NPM_TOKEN
• Confirm --provenance attestations are generated for each package

🤖 Generated with Claude Code

[claude]

Claude finished @jbrejner's task in 2m 33s —— View job

---

PR Review: Wire up Node 24 + setup-node for npm trusted publishing

• Run static analysis checks
• Review code changes
• Post review feedback

---

Static Analysis

All Go checks pass — go build, go vet, and go mod tidy are clean. This is expected since the PR only modifies a workflow YAML file.

---

Code Review

The change is correct and well-scoped. It adds the missing setup-node step that PR #843 overlooked when removing .npmrc files and NPM_TOKEN. The root cause analysis in the PR description is spot-on: id-token: write was already present, but without setup-node + registry-url, npm had no registry configuration for OIDC auth → ENEEDAUTH.

What works well:

• Placement is logical — right after setup-go, before GoReleaser (which invokes scripts/npm-publish.sh)
• The registry-url parameter is the key piece that makes setup-node configure .npmrc for the npm registry, enabling OIDC-based trusted publishing
• npm-publish.sh already conditionally adds --provenance when GITHUB_ACTIONS=true (line 69), which triggers the OIDC token exchange
• Tag style (@v4) is consistent with other actions in this workflow (checkout@v6, setup-go@v6, goreleaser-action@v7)

One suggestion to consider:

Node 24 is current but not LTS — it was released April 2025 and won't reach LTS until October 2025. The npm trusted publishing requirement is Node ≥ 22.14.0 + npm ≥ 11.5.1, which Node 22 LTS satisfies. Using node-version: '22' would be a more conservative choice for a release pipeline, reducing exposure to potential regressions in a non-LTS runtime. That said, Node 24 ships with the right npm version out of the box and setup-node manages the installation cleanly, so this is a low-risk tradeoff either way. Worth a quick team discussion on preference.

No issues found with:

• Security: id-token: write is already scoped to the goreleaser job, and NODE_AUTH_TOKEN is intentionally absent (trusted publishing uses OIDC instead)
• The npm publish script's retry logic and provenance flag handling are unchanged and work correctly with this setup
• No missing dependencies or configuration gaps

Verdict: Looks good to merge. The Node 22 vs 24 choice is the only point worth a brief discussion — the rest is clean.