ci(release): migrate npm publish to OIDC provenance-based auth

[pitzcarraldo]

Summary

Remove NPM_TOKEN secret dependency from the release workflow and migrate to OIDC-based npm publishing with provenance attestation.

Details

• Add id-token: write permission for GitHub OIDC token generation
• Add --provenance flag to npm publish for supply chain security
• Remove NODE_AUTH_TOKEN env var (no longer needed with OIDC)
• Upgrade Node.js from 18 to 22 for npm provenance support

Reference: https://github.com/team-michael/notifly-react-native-sdk/blob/main/.github/workflows/release.yml

Related Issues

N/A

How to Validate

1. Trigger the release workflow via workflow_dispatch
2. Verify the publish-npm job authenticates via OIDC (no NPM_TOKEN needed)
3. Confirm the published package has provenance attestation on npmjs.com

Pre-Merge Checklist

Code Quality

• Code builds without errors (bun run build)
• Types check correctly (bun run typecheck)
• Linter passes (bun run lint)
• Tests pass (bun test)
• Added/updated tests for new functionality (if applicable)

Documentation

• Updated relevant documentation (if needed)
• Updated CLAUDE.md if architecture changed (if needed)

Commit Standards

• Commits follow Conventional Commits format
• No breaking changes, OR breaking changes are documented

Platform Validation

• macOS
• Linux

Summary by CodeRabbit

• Chores
  • Updated release workflow to use Node.js 22 and enhanced security practices for npm package publishing.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2ca149dd-7fb2-463d-be20-60d23006c751

📥 Commits

Reviewing files that changed from the base of the PR and between 30d0696 and 5c0ecf1.

📒 Files selected for processing (1)

• .github/workflows/release.yml

---

Walkthrough

Updated the release workflow to upgrade Node.js from version 18 to 22, added OIDC id-token write permission, enhanced npm publish command with the --provenance flag, and removed explicit NPM_TOKEN environment variable configuration.

Changes

Cohort / File(s)	Summary
Release Workflow Updates .github/workflows/release.yml	Upgraded Node.js to version 22 for npm publishing, added id-token: write permission for OIDC support, appended --provenance flag to npm publish command, and removed NPM_TOKEN-based environment configuration block.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and specifically describes the main change: migrating npm publish to OIDC-based authentication with provenance, which matches the core objective of the changeset.
Description check	✅ Passed	The description comprehensively covers all required template sections with detailed information about changes, validation steps, and pre-merge checklist completion status.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/npm-oidc-publishing

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5c0ecf1913

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".