chore: configure npm trusted publishing via OIDC (#147)

Switch publish workflow from NPM_TOKEN to GitHub Actions trusted
publishing. Adds id-token: write permission, sets registry-url on
setup-node, upgrades npm to a version that supports OIDC, and removes
the token-based .npmrc step. Provenance attestations are now generated
automatically.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: alZyad

.github/workflows/publish.yml

@@ -9,28 +9,30 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     environment: npm-publish
+    permissions:
+      id-token: write
+      contents: read
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
         with:
-          ref: "main" # Replace with your branch name
+          ref: "main"
 
       - name: Use Node.js
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version-file: .nvmrc
+          registry-url: "https://registry.npmjs.org"
+
+      - name: Upgrade npm for trusted publishing
+        run: npm install -g npm@latest
 
       - name: Install dependencies
         run: yarn --immutable
 
       - name: Build eslint-plugin
         run: yarn workspace @bam.tech/eslint-plugin build
 
-      - name: Set up .npmrc file
-        run: echo "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}" > ~/.npmrc
-
       - name: Publish to npm
         run: npx lerna publish from-package --no-private --yes
-        env:
-          NPM_TOKEN: ${{secrets.NPM_TOKEN}}