Enable NPM trusted publishing with OIDC (#288)

## Summary
Update npm publish workflow to use OIDC trusted publishing with
provenance.

## Changes
- Add `id-token: write` and `contents: read` permissions for OIDC
authentication
- Use `yarn npm publish` with `--provenance` flag for supply chain
security
- Remove `yarn pack` step (no longer needed with direct yarn publishing)
- Update actions to v6
- Remove `NODE_AUTH_TOKEN` secret (no longer needed with OIDC)

## Status
✅ Trusted publishing has been configured on npmjs.com for this package.

Author: hillna

.github/workflows/ci.yml

@@ -13,6 +13,7 @@ jobs:
     runs-on: ubuntu-latest
 
     permissions:
+      contents: read
       # https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
       id-token: write
 
@@ -32,15 +33,8 @@ jobs:
       - run: yarn run lint:ci
       - run: yarn run test
 
-      - run: yarn pack
       - name: Publish to NPM (dry run)
-        # `yarn publish` does not support --provenance
-        run: npm publish package.tgz --provenance --access public --dry-run
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+        run: yarn npm publish --provenance --access public --dry-run
       - name: Publish to NPM
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
-        # `yarn publish` does not support --provenance
-        run: npm publish package.tgz --provenance --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+        run: yarn npm publish --provenance --access public

package.json

@@ -10,7 +10,7 @@
   ],
   "repository": {
     "type": "git",
-    "url": "https://github.com/foxglove/crc.git"
+    "url": "git+https://github.com/foxglove/crc.git"
   },
   "author": {
     "name": "Foxglove",
@@ -52,5 +52,5 @@
     "typescript": "5.9.3",
     "typescript-eslint": "8.52.0"
   },
-  "packageManager": "yarn@4.9.2"
+  "packageManager": "yarn@4.12.0"
 }