refactor: move to OIDC publications

.github/workflows/pkg-release.yml

@@ -1,34 +1,32 @@
-# This filename is associated with the respective NPM package's trusted publish config.
-# If required, update both together.
-
-name: Package Release
+name: Publish to npm
 
 on:
   push:
     tags:
-      - 'v*.*.*'
-
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'Tag to publish (e.g. v1.2.3 or v1.2.3-rc.1)'
-        required: true
-        type: string
+      - 'v*'
 
 permissions:
   contents: read
-  id-token: write       # required for OIDC-based publishing
+  id-token: write
 
 jobs:
-  call-npm-release:
-    uses: postmanlabs/gh-security-scan-workflow/.github/workflows/security-npm-publish.yml@main
+  publish:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v6
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: '24'
+          registry-url: 'https://registry.npmjs.org'
 
-    with:
-      tag: ${{ github.ref_type == 'tag' && github.ref_name || inputs.tag }}
-      node_version: '22'
-      package_path: 'dist'
-      skip_tests: true
-      dry_run: ${{ github.event_name == 'workflow_dispatch' }}
+      - name: Install dependencies
+        run: npm ci
 
-    secrets:
-      POSTMAN_NPM_TOKEN: ${{ secrets.POSTMAN_NPM_TOKEN }} # read-only granular token
+      - name: Publish to npm
+        if: github.ref_type == 'tag'
+        run: npm publish --provenance --access public
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.POSTMAN_NPM_TOKEN }}