feat: enable trusted publishing for npm packages (#999)

## Summary

Switch npm publishing from token-based authentication to OIDC-based
trusted publishing.

### Changes

- Remove `npm-token` secret requirement from workflows and publish
action
- Add `id-token: write` permission for OIDC authentication
- Update npm to v11 in the publish action (required for OIDC publishing)
- Remove `--provenance` flag and `NODE_AUTH_TOKEN` environment variable

## Post-merge: Configure on npmjs.com

Package Settings → Trusted Publisher → GitHub Actions:
- **Organization**: `auth0`
- **Repository**: `auth0-react`
- **Workflow**: `release.yml`
- **Environment**: `release`

### Benefits

- Eliminates need to manage long-lived npm tokens as secrets
- Leverages GitHub's OIDC provider for secure, short-lived credentials
- Simplifies secret management across repositories using the shared
workflow

Author: gyaneshgouraw-okta

.github/actions/npm-publish/action.yml

@@ -3,8 +3,6 @@ name: Publish release to npm
 inputs:
   node-version:
     required: true
-  npm-token:
-    required: true
   version:
     required: true
   require-build:
@@ -26,6 +24,10 @@ runs:
         cache: 'npm'
         registry-url: 'https://registry.npmjs.org'
 
+    - name: Update npm
+      shell: bash
+      run: npm install -g npm@11
+
     - name: Install dependencies
       shell: bash
       run: npm ci --include=dev
@@ -46,7 +48,6 @@ runs:
         else
           TAG="latest"
         fi
-        npm publish --provenance --tag $TAG
+        npm publish --tag $TAG
       env:
-        NODE_AUTH_TOKEN: ${{ inputs.npm-token }}
         VERSION: ${{ inputs.version }}

.github/workflows/npm-release.yml

@@ -15,14 +15,15 @@ on:
     secrets:
       github-token:
         required: true
-      npm-token:
-        required: true
 
 jobs:
   release:
     if: github.event_name == 'workflow_dispatch' || (github.event_name == 'pull_request' && github.event.pull_request.merged && startsWith(github.event.pull_request.head.ref, 'release/'))
     runs-on: ubuntu-latest
     environment: release
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
       # Checkout the code
@@ -66,7 +67,6 @@ jobs:
           node-version: ${{ inputs.node-version }}
           require-build: ${{ inputs.require-build }}
           version: ${{ steps.get_version.outputs.version }}
-          npm-token: ${{ secrets.npm-token }}
           release-directory: ${{ inputs.release-directory }}
 
       # Create a release for the tag

.github/workflows/release.yml

@@ -33,5 +33,4 @@ jobs:
       node-version: 18
       require-build: true
     secrets:
-      npm-token: ${{ secrets.NPM_TOKEN }}
       github-token: ${{ secrets.GITHUB_TOKEN }}