Update GitHub Actions workflow for npm publishing

[gracepark]

Part of: https://github.com/github/web-systems/issues/4309

[Copilot]

Pull request overview

Updates the npm publishing GitHub Actions workflow to use newer GitHub Actions versions and attempt to publish to npm with provenance enabled.

Changes:

• Bumps actions/checkout and actions/setup-node from v3 to v4.
• Updates the publishing job to use Node.js 24 and grants id-token: write permissions.
• Switches the publish command to npm publish --provenance and removes token-based auth wiring.

Show a summary per file

File	Description
.github/workflows/publish.yml	Modernizes the release publish workflow and changes the publish/auth approach to support provenance.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (2)

.github/workflows/publish.yml:25

• The publish step no longer supplies npm authentication (previously via NODE_AUTH_TOKEN secret). As written, npm publish will fail with an auth error unless npm Trusted Publishing (OIDC-based) is configured for this package on npmjs. If Trusted Publishing is intended, consider adding an explicit note/validation step (e.g., npm whoami) so failures are clearer; otherwise reintroduce token-based auth for the publish command.

      - run: npm version ${TAG_NAME} --git-tag-version=false
        env:
          TAG_NAME: ${{ github.event.release.tag_name }}
      - run: npm --ignore-scripts publish --provenance

.github/workflows/publish.yml:18

• node-version: 24 is unquoted and differs from the semver-style string used elsewhere in this repo (e.g. '20.x'). Using a quoted semver range like '24.x' avoids YAML type coercion and makes intent consistent with other workflows.

        with:
          node-version: 24
          registry-url: https://registry.npmjs.org/

• Files reviewed: 1/1 changed files
• Comments generated: 1