Update publish workflow to use npm Trusted Publishers (OIDC)

No more NPM_TOKEN secret needed — GitHub Actions authenticates
directly via OIDC. Triggered on GitHub release creation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: icebob-ai

.github/workflows/publish.yml

@@ -1,9 +1,12 @@
 name: Publish to NPM
 
 on:
-  workflow_dispatch:
-  # release:
-  #   types: [published]
+  release:
+    types: [published]
+
+permissions:
+  id-token: write
+  contents: read
 
 jobs:
   publish:
@@ -16,7 +19,9 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 22.x
-          registry-url: https://registry.npmjs.org
+
+      - name: Update npm (OIDC support)
+        run: npm install -g npm@latest
 
       - name: Install dependencies
         run: npm ci
@@ -28,6 +33,4 @@ jobs:
         run: npm run build
 
       - name: Publish
-        run: npm publish --tag latest --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --access public