CICDL-347: enable public npm publishing via trusted publishers (OIDC)

Switches from token-based npm auth to OIDC trusted publishers,
adds publish workflow, and registers repo as a library for org ruleset.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: Moser-ss

.github/workflows/ci.yml

@@ -10,10 +10,10 @@ jobs:
   ci:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
-          node-version: 20
+          node-version-file: .nvmrc
           cache: npm
       - run: npm ci
       - run: npm run lint

.github/workflows/publish.yml

@@ -0,0 +1,16 @@
+name: NPM Publish
+on:
+  pull_request:
+    types: [labeled]
+    branches: [master]
+jobs:
+  npm-publish:
+    if: contains(github.event.label.name, 'npm-version')
+    uses: pipedrive-actions/github-actions-workflows/.github/workflows/reusable_cicd-npm-publish.yml@master
+    with:
+      skip_functional_tests: true
+      use_trusted_publisher: true
+    permissions:
+      id-token: write
+      contents: read
+    secrets: inherit

package.json

@@ -38,5 +38,8 @@
     "typescript": "^5.4.0",
     "typescript-eslint": "^8.0.0",
     "vitest": "^1.6.0"
+  },
+  "publishConfig": {
+    "access": "public"
   }
 }

repository.json

@@ -0,0 +1,7 @@
+{
+  "name": "create-pipedrive-app",
+  "description": "Scaffold a production-ready Pipedrive Marketplace app",
+  "owner": "Gravity",
+  "type": "library",
+  "status": "released"
+}