Update GitHub Actions workflows for npm trusted publishers and 2025 security changes

[Copilot]

Summary

This PR updates the GitHub Actions workflows to comply with the 2025 npm authentication and token management changes, modernizing the CI/CD pipeline with the latest action versions and security best practices.

Changes

Action Version Upgrades

• actions/checkout: v4 → v5
• actions/setup-node: v4 → v6
• cycjimmy/semantic-release-action: v4 → v5.0.2

Node.js Updates

• Updated release job to use Node.js 24 (current LTS) instead of lts/*
• Added semantic_version: 25 to semantic-release configuration

Security Improvements

• Removed NPM_TOKEN environment variable from the release job
• Added explicit permissions to the release job for OIDC-based npm provenance:

  permissions:
    contents: write        # to publish GitHub releases
    id-token: write        # to enable OIDC for npm provenance
    issues: write          # to comment on released issues
    pull-requests: write   # to comment on released pull requests

These changes enable the use of GitHub's OIDC authentication for npm publishing, providing enhanced security through trusted publishers instead of long-lived tokens.

Testing

• ✅ YAML syntax validated with yamllint
• ✅ No modifications to unrelated workflow logic or permissions
• ✅ Changes are minimal and focused on security updates

Fixes #[issue-number]

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update to use trusted publishers</issue_title>
<issue_description>Review and modernize this repository’s GitHub Actions workflows to comply with the [2025 npm authentication and token management changes](https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/).

Focus only on updating workflow steps and permissions, not environment configuration or unrelated logic.

Specifically:

1. Upgrade all actions/checkout steps to the latest major version (currently v5).

2. Upgrade all actions/setup-node steps to the latest major version (currently v6).

3. Update node-version values to the current LTS (currently 24).

4. Upgrade cycjimmy/semantic-release-action to the latest major version (currently v5.0.2).

5. Update the semantic_version input to the current major (currently 25).

6. Remove all references to NPM_TOKEN, as npm releases now use GitHub’s OIDC authentication for provenance.

7. Add explicit permissions to the semantic-release job:

   permissions:
     contents: write # to be able to publish a GitHub release
     id-token: write # to enable use of OIDC for npm provenance
     issues: write # to be able to comment on released issues
     pull-requests: write # to be able to comment on released pull requests

Do not modify other permissions, secrets, job logic, or environment blocks unrelated to these security and release changes.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #165

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

---

Note

Upgrade core actions and semantic-release, add explicit release permissions, and remove NPM_TOKEN to use OIDC/npm trusted publishers.

• CI/CD (GitHub Actions):
  • Upgrade actions/checkout to v5 and actions/setup-node to v6 in main and release jobs.
  • Release job permissions: add contents: write, id-token: write, issues: write, pull-requests: write.
  • Upgrade cycjimmy/semantic-release-action to v5.0.2 with semantic_version: 25.
  • Remove NPM_TOKEN from release environment.

^{Written by Cursor Bugbot for commit 7a328a5. This will update automatically on new commits. Configure here.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

🎉 This PR is included in version 8.2.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀