fix(ci): use trusted publisher for npm release

Author: zxch3n

.github/workflows/release-please.yml

@@ -29,6 +29,9 @@ jobs:
         needs: release
         if: ${{ needs.release.outputs.releases_created == 'true' }}
         runs-on: ubuntu-latest
+        permissions:
+            contents: read
+            id-token: write
         steps:
             - name: Checkout
               uses: actions/checkout@v4
@@ -41,7 +44,7 @@ jobs:
             - name: Setup Node
               uses: actions/setup-node@v4
               with:
-                  node-version: "20"
+                  node-version: "24"
                   registry-url: "https://registry.npmjs.org"
                   cache: "pnpm"
 
@@ -52,8 +55,6 @@ jobs:
               run: pnpm -r build
 
             - name: Publish changed packages to npm
-              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
               run: |
                   set -euo pipefail
                   echo "Finding unpublished workspace packages..."