ci(release): use Trusted Publisher

Author: webdeveric

.github/workflows/release.yml

@@ -5,35 +5,46 @@ on:
     branches:
       - main
 
+concurrency: release
+
+env:
+  HUSKY: 0
+
 permissions:
   contents: read # for checkout
 
 jobs:
   release:
     name: Release
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
+    environment: release
     permissions:
       contents: write # to be able to publish a GitHub release
       issues: write # to be able to comment on released issues
       pull-requests: write # to be able to comment on released pull requests
       id-token: write # to enable use of OIDC for npm provenance
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
       - name: Setup pnpm
         uses: pnpm/action-setup@v4
 
       - name: Use Node.js
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v6
         with:
-          node-version-file: '.nvmrc'
+          node-version-file: '.node-version'
           cache: 'pnpm'
 
+      - name: Install latest npm
+        run: |
+          npm install -g npm@latest
+          npm --version
+
       - name: Installing dependencies
-        run: pnpm install
+        run: pnpm install --frozen-lockfile
 
       - name: Building
         run: pnpm build
@@ -45,6 +56,4 @@ jobs:
       - name: Release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          NPM_CONFIG_PROVENANCE: true
-        run: npx --no semantic-release
+        run: pnpm exec semantic-release