fix: update npm release workflow for provenance

- Add registry-url to setup-node to correctly configure authentication via .npmrc.
- Append --provenance and --access public to the publish command for secure OIDC delivery.

Author: orange-guo

.github/workflows/release.yml

@@ -1,24 +1,19 @@
-name: Release
-
-on:
-  push:
-    branches:
-      - main # Trigger on every push to main
-
-permissions:
-  contents: read
-  id-token: write # Required for provenance / (optional) NPM Trusted Publishing
-
 jobs:
   publish:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # OIDC 必须权限
+
     steps:
       - uses: actions/checkout@v4
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
           node-version: '20'
+          # 👇 关键修正 1：添加这行，让 Action 自动配置 .npmrc 认证
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install dependencies
         run: yarn install
@@ -27,12 +22,9 @@ jobs:
         run: yarn build
 
       - name: Publish to NPM
-        # It will only publish if the version in package.json is new.
-        # Publish auth:
-        # - Recommended: set repo secret NPM_TOKEN (an npm "Automation" token with publish access).
-        # - Optional: if you've configured NPM Trusted Publishing for this package, it can publish without NPM_TOKEN.
         env:
+          # 这一步会读取 Setup Node.js 生成的 .npmrc 配置
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          npm publish
-
+        # 👇 关键修正 2：添加 --provenance 参数
+        # 同时添加 --access public 确保包是公开的（OIDC 目前主要支持公开包）
+        run: npm publish --provenance --access public