Update NPM publishing to use OIDC authentication with Node 24 and pnpm 10.19

[Copilot]

Jira issue link: ssd-3983

This PR updates the NPM publishing workflow to use OIDC (OpenID Connect) authentication and upgrades the project to Node.js 24 and pnpm 10.19.0, following the same pattern as implemented in workleap/wl-telemetry#112.

Changes

Node.js and pnpm Updates

• Node.js: Upgraded from LTS to version 24 (.nvmrc and package.json engines)
• pnpm: Upgraded to version 10.19.0 (pinned via packageManager field in package.json)
• Removed explicit version specification from pnpm action setup, allowing it to use the version defined in package.json

NPM Security Improvements

Added .npmrc configuration to improve security by enforcing a minimum release age for dependencies:

• New packages must wait 1 day (1440 minutes) after release before being installed
• Workleap packages (@workleap*) are excluded from this requirement for faster internal updates

OIDC Authentication

Updated the publish workflow to use OIDC authentication for NPM publishing:

• Changed from NPM_TOKEN to NODE_AUTH_TOKEN environment variable
• Added NPM_CONFIG_PROVENANCE: true to enable provenance statements for published packages
• This provides better security and transparency for package publishing through GitHub Actions

Testing

Created a changeset to test the release process with these new configurations.

Related

Closes SSD-3983

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• petstore3.swagger.io

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update NPM publishing to use OIDC</issue_title>
<issue_description>- Bump Node to 24

• Bump Pnpm to version 10.19 (if present in a pipeline, remove the version from pnpm/action-setup)
• Add pnpm settings to improve security: We force npm to wait 1 day after a package release before updating it. (except workleap packages)

minimumReleaseAge: 1440
minimumReleaseAgeExclude:
  - "@workleap*"

• create a changeset to test the release

We need to do the exact same thing as this PR
https://github.com/workleap/wl-telemetry/pull/112/files

Start the branch name with SSD-3983_ </issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #47

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Pull Request Overview

This PR updates the NPM publishing workflow to use OIDC authentication and upgrades the project to Node.js 24 and pnpm 10.19.0. The changes improve security through OIDC-based authentication and implement a minimum release age policy for npm dependencies.

• Node.js upgraded from LTS to version 24, pnpm upgraded to version 10.19.0
• Added .npmrc configuration to enforce 1-day minimum release age for dependencies (excluding Workleap packages)
• Transitioned NPM publishing from token-based to OIDC authentication

Reviewed Changes

Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.nvmrc	Updates Node.js version from LTS to 24
package.json	Updates Node.js engine requirement and pins pnpm version to 10.19.0
packages/create-schemas/package.json	Updates Node.js engine requirement to 24.0.0
.npmrc	Adds security configuration for minimum release age policy
.github/actions/setup/action.yml	Removes explicit pnpm version to use package.json definition
.github/workflows/publish.yml	Removes NPM_TOKEN for OIDC authentication
.changeset/update-npm-oidc.md	Adds changeset for testing the release process

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}