ci: use npm trusted publishing with OIDC provenance #4

	name: Snapshot Release

	on:
	push:
	branches: [dev]

	concurrency: ${{ github.workflow }}-${{ github.ref }}

	jobs:
	snapshot:
	runs-on: ubuntu-latest

	permissions:
	contents: read
	id-token: write

	steps:
	- uses: actions/checkout@v4

	- uses: oven-sh/setup-bun@v2
	with:
	bun-version: latest

	- name: Install dependencies
	run: bun install

	- name: Build
	run: bun run build

	- name: Unit tests
	run: bun run test:unit

	- name: Setup npm auth
	run: \|
	echo "//registry.npmjs.org/:_authToken=\${NODE_AUTH_TOKEN}" > .npmrc
	env:
	NODE_AUTH_TOKEN: ""

	- name: Publish snapshot to npm
	run: \|
	npx changeset version --snapshot canary
	npx changeset publish --tag canary --no-git-tag
	env:
	NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
	NPM_CONFIG_PROVENANCE: true

Provide feedback