ci: migrate to OIDC trusted publishing

Ticket: DX-2083

Author: Tanjeem Hossain

.github/workflows/release.yml

@@ -1,4 +1,11 @@
 name: Release
+permissions:
+  # Needed for npm Trusted Publishing
+  id-token: write
+  # Needed for semantic-release
+  contents: write
+  pull-requests: write
+  issues: write
 on:
   push:
     branches:
@@ -7,6 +14,7 @@ jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
+    environment: publish
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -16,14 +24,16 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20.x
+      - name: Ensure npm 11.5.1 or later for trusted publishing
+        run: |
+          npm install -g npm@11.5.1
       - name: Install dependencies
         run: yarn
       - name: Build library
         run: yarn build:prod
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           BRANCH_NAME: ${{ github.head_ref || github.ref_name }}
         run: yarn run semantic-release
       - name: Rebase master

package.json

@@ -49,7 +49,7 @@
     "@semantic-release/commit-analyzer": "11.1.0",
     "@semantic-release/git": "10.0.1",
     "@semantic-release/github": "9.2.6",
-    "@semantic-release/npm": "11.0.2",
+    "@semantic-release/npm": "13.1.1",
     "@types/jest": "29.5.11",
     "@types/node": "18.18.7",
     "@typescript-eslint/eslint-plugin": "6.18.1",