fix(workflow): update npm publish workflow to support OIDC and npm CLI version

Author: SMAKSS

.github/workflows/npm-publish.yml

@@ -11,6 +11,7 @@ jobs:
       contents: write
       issues: write
       pull-requests: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -24,17 +25,17 @@ jobs:
           registry-url: https://registry.npmjs.org/
           scope: "@smakss"
           cache: pnpm
+      - name: Ensure npm CLI supports OIDC
+        run: npm install -g npm@11.5.1
       - run: pnpm install --frozen-lockfile
       - run: pnpm build
       - name: Release (master)
         if: github.ref_name == 'master'
         run: pnpm release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Release (develop)
         if: github.ref_name == 'develop'
         run: pnpm release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

CONTRIBUTING.md

@@ -47,9 +47,10 @@ Releases are automated with semantic-release on every push to the `master` and
 - Do not manually bump versions or edit a changelog; releases are published on
   GitHub without committing files back to the repo.
 - Follow Conventional Commits so the release type can be inferred.
-- The GitHub Actions workflow requires these secrets:
-    - `NPM_TOKEN` (publish to npm)
-    - `GITHUB_TOKEN` (create GitHub release)
+- Releases use npm trusted publishing (OIDC). Configure the repository as a
+  trusted publisher in npm (using this workflow file) and ensure the workflow
+  has `id-token: write` and npm CLI >= 11.5.1.
+- `GITHUB_TOKEN` is used to create GitHub releases.
 
 To run a local dry run: