Update GitHub Actions workflow for npm security compliance (2025)

[Copilot]

This PR modernizes the GitHub Actions release workflow to comply with the 2025 npm authentication and token management changes.

Changes

Action Versions

• Upgraded actions/checkout from v4 to v5
• Upgraded actions/setup-node from v4 to v6
• Upgraded cycjimmy/semantic-release-action from v4 to v5.0.2

Node.js Version

• Updated node-version from 20 to lts/* to automatically use the latest LTS version without manual updates

Semantic Release

• Updated semantic_version from 17 to 25 to use the current major version

npm Authentication

• Removed NPM_TOKEN from environment variables - npm releases now use GitHub's OIDC authentication for provenance
• The existing id-token: write permission enables secure OIDC-based authentication
• NPM_CONFIG_PROVENANCE: true continues to ensure npm package provenance

Security Improvements

This update eliminates the need for long-lived npm tokens, replacing them with short-lived OIDC tokens that are automatically generated by GitHub Actions. This significantly reduces the attack surface and improves the security posture of the release process.

The workflow permissions remain unchanged and correctly configured:

• contents: write - to publish GitHub releases
• id-token: write - to enable OIDC for npm provenance
• issues: write - to comment on released issues
• pull-requests: write - to comment on released PRs

Verification

• ✅ Build passes successfully
• ✅ CodeQL security scan shows no vulnerabilities
• ✅ No changes to job logic or functionality

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update to use trusted publishers</issue_title>
<issue_description>Review and modernize this repository’s GitHub Actions workflows to comply with the 2025 npm authentication and token management changes.

Focus only on updating workflow steps and permissions, not environment configuration or unrelated logic.

Specifically:

1. Upgrade all actions/checkout steps to the latest major version (currently v5).

2. Upgrade all actions/setup-node steps to the latest major version (currently v6).

3. Update node-version values to lts/* for the release job and if there's a matrix in place for other jobs, use relative versions from lts. For example: [lts/-1, lts/*, latest] so we don't have to keep these versions updated in the future. If it's a single node version, then lts/* alone works.

4. Upgrade cycjimmy/semantic-release-action to the latest major version (currently v5.0.2).

5. Update the semantic_version input to the current major (currently 25).

6. Remove all references to NPM_TOKEN, as npm releases now use GitHub’s OIDC authentication for provenance.

7. Add explicit permissions to the semantic-release job:

   permissions:
     contents: write # to be able to publish a GitHub release
     id-token: write # to enable use of OIDC for npm provenance
     issues: write # to be able to comment on released issues
     pull-requests: write # to be able to comment on released pull requests

Do not modify other permissions, secrets, job logic, or environment blocks unrelated to these security and release changes.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #14

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Note

Modernizes the release GitHub Actions workflow by upgrading action versions, switching Node to lts/*, bumping semantic-release to v25, and removing NPM_TOKEN in favor of OIDC.

• CI/Release Workflow (.github/workflows/release.yml):
  • Action upgrades:
    • actions/checkout v4 → v5
    • actions/setup-node v4 → v6
    • cycjimmy/semantic-release-action v4 → v5.0.2
  • Node.js: node-version 20 → lts/*.
  • Semantic Release: semantic_version 17 → 25.
  • npm auth: remove NPM_TOKEN from env (use OIDC/provenance).

^{Written by Cursor Bugbot for commit 3c325eb. This will update automatically on new commits. Configure here.}