chore: Use node 24 and npm trusted publishing, and update cspell (backport of #3411 for 2.11)

[sachindshinde]

This PR is a backport of #3411 for the version-2.11 branch. Specifically, this PR:

• Adds an ignore rule to cspell for GHSA IDs.
• Backports the node orb version bump and lint CircleCI jobs from main (previously using node/run).
• Bumps actions/checkout to v4 and adds OIDC/changesets permissions in the release GitHub action.
• Bumps node to v24 for the repo (which is bundled with npm v11), updating the lint CircleCI jobs and release GitHub action as well.
  • This is because npm trusted publishing requires at least npm v11.5.1.
• Bumps the npm constraint in engines in package.json to <12 (to allow running npm v11).
• Runs the test CircleCI jobs for node v22, v24, and latest.
  • The job was previously installing npm v9 because node v14's bundled npm version was too low to support the package-lock.json, but it was doing this for all node versions. We've now changed this to only happen for node v14.
• Stops passing NPM_TOKEN to changesets/action in the release GitHub action.
  • Note that npm versions that support trusted publishing will ignore locally configured tokens when OIDC environment variables are present (which they are for GH actions, since we've set that up), so NPM_TOKEN would be ignored anyway. But the main reason for this change is to stop changesets/action from printing a misleading log message saying NPM_TOKEN has been placed into .npmrc (which, while true, will be ignored by npm publish).
  • Note that we still need to keep the NPM_TOKEN GitHub secret around to run any tag-changing scripts, as npm dist-tag sadly doesn't support OIDC yet (see Allow Trusted Publishers to run "npm dist-tag add" npm/cli#8547 for discussion). This means we'll need to manually rotate the token every 90 days.
• Uses npm ci instead of npm i in the release GitHub action.
  • As a requirement for releasing (or filing a release PR), the package-lock.json should be aligned with the package.json.
• Stops setting FEDERATION_VERSION in the release GitHub action since it's no longer used.
• Sets the tag for npm publishes to the branch name for version-* branches.
  • Previously, it was the default of latest, which was causing backport releases to mistakenly change the latest tag (used when someone npm is without a version number).
  • We also tightened the version-* branch pattern down to version-[0-9]+.[0-9]+ (since it's getting passed around in bash now).

[apollo-librarian]

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 2 changed, 0 removed

* graphos/schema-design/federated-schemas/reference/directives.mdx
* graphos/schema-design/federated-schemas/reference/versions.mdx

Build ID: 32a8d83de10f40f4f9322918
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/32a8d83de10f40f4f9322918

---

✅ AI Style Review — No Changes Detected

No MDX files were changed in this pull request.

Review Log: View detailed log

This review is AI-generated. Please use common sense when accepting these suggestions, as they may not always be accurate or appropriate for your specific context.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c140e31

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[duckki]

Looks good!