chore: update NPM publishing

fixes #464

Signed-off-by: Ry Jones <ry@linux.com>

Author: ryjones

.github/workflows/release.yaml

@@ -9,6 +9,12 @@ on:
       - "v[0-9]+.[0-9]+.[0-9]+"
       - "v[0-9]+.[0-9]+.[0-9]+-*"
 
+# ---- Global permissions for Trusted Publishing & attestations ----
+# id-token:write is required for OIDC (npm trusted publishing, keyless attestations)
+# packages:write for GHCR; attestations:write for GitHub artifact attestations (optional but recommended)
+permissions:
+  contents: read
+
 env:
   IMAGE_NAME: ${{ github.repository_owner }}/fabric-nodeenv
 
@@ -19,22 +25,29 @@ jobs:
   publishnpm:
     runs-on: ubuntu-24.04
     needs: test
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: "18.x"
           registry-url: "https://registry.npmjs.org"
+      # Ensure npm 11.5.1 or later for trusted publishing support
+      - name: Update npm
+        run: npm install -g npm@latest
       - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
           name: node-tgzs
           path: build/
-      - run: |
+      - name: Publish packages with provenance (OIDC)
+        # No NODE_AUTH_TOKEN needed when Trusted Publishing is enabled.
+        # --provenance tells npm to attach SLSA provenance to the package.  [oai_citation:1‡The GitHub Blog](https://github.blog/security/supply-chain-security/introducing-npm-package-provenance/?utm_source=chatgpt.com)
+        run: |
           set -xev
           ls -lart build/
           cd build
           find . -type f -name 'fabric-*.tgz' -exec npm publish {} \;
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
   docker-build-push:
     name: Push Docker image