Match npm trusted publishers docs exactly

- Move permissions to workflow level
- Use npm ci instead of bun install
- Remove --provenance flag (auto-detected)
- Use working-directory instead of cd
- Use actions/checkout@v4

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: xrendan

.github/workflows/npm-publish.yml

@@ -20,76 +20,48 @@ on:
                     - charts
                     - colours
 
+permissions:
+    id-token: write
+    contents: read
+
 env:
     DRY_RUN: ${{ github.event.inputs.dry-run == 'true' && '--dry-run' || '' }}
 
 jobs:
     publish-charts:
         if: github.event.inputs.package == 'all' || github.event.inputs.package == 'charts' || github.event_name == 'release'
         runs-on: ubuntu-latest
-        permissions:
-            contents: read
-            id-token: write
         steps:
-            - name: Checkout repository
-              uses: actions/checkout@v5
-
-            - name: Setup Bun
-              uses: oven-sh/setup-bun@v2
-              with:
-                  bun-version: latest
+            - uses: actions/checkout@v4
 
-            - name: Setup Node.js
-              uses: actions/setup-node@v4
+            - uses: actions/setup-node@v4
               with:
                   node-version: "22"
                   registry-url: "https://registry.npmjs.org"
 
-            - name: Install dependencies
-              run: bun install --frozen-lockfile
-
-            - name: Run tests
-              run: bun run test
+            - run: npm ci
 
-            - name: Verify charts package can be packed
-              run: cd packages/charts && npm pack --dry-run
+            - run: npm test
+              working-directory: packages/charts
 
-            - name: Publish @buildcanada/charts
-              run: cd packages/charts && npm publish --access public --provenance ${{ env.DRY_RUN }}
-              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+            - run: npm publish --access public ${{ env.DRY_RUN }}
+              working-directory: packages/charts
 
     publish-colours:
         if: github.event.inputs.package == 'all' || github.event.inputs.package == 'colours' || github.event_name == 'release'
         runs-on: ubuntu-latest
-        permissions:
-            contents: read
-            id-token: write
         steps:
-            - name: Checkout repository
-              uses: actions/checkout@v5
+            - uses: actions/checkout@v4
 
-            - name: Setup Bun
-              uses: oven-sh/setup-bun@v2
-              with:
-                  bun-version: latest
-
-            - name: Setup Node.js
-              uses: actions/setup-node@v4
+            - uses: actions/setup-node@v4
               with:
                   node-version: "22"
                   registry-url: "https://registry.npmjs.org"
 
-            - name: Install dependencies
-              run: bun install --frozen-lockfile
-
-            - name: Build colours package
-              run: cd packages/colours && bun run build
+            - run: npm ci
 
-            - name: Verify colours package can be packed
-              run: cd packages/colours && npm pack --dry-run
+            - run: npm run build
+              working-directory: packages/colours
 
-            - name: Publish @buildcanada/colours
-              run: cd packages/colours && npm publish --access public --provenance ${{ env.DRY_RUN }}
-              env:
-                  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+            - run: npm publish --access public ${{ env.DRY_RUN }}
+              working-directory: packages/colours