Enable NPM trusted publishing with OIDC (#3)

## Summary
Update npm publish workflow to use OIDC trusted publishing with
provenance.

## Changes
- Add `id-token: write` and `contents: read` permissions for OIDC
authentication
- Update to `npx npm@11.7.0 publish` with `--provenance` flag for supply
chain security
- Update actions to v6
- Remove `NODE_AUTH_TOKEN` secret (no longer needed with OIDC)

## Status
✅ Trusted publishing has been configured on npmjs.com for this package.

Author: hillna

.github/workflows/ci.yml

@@ -10,14 +10,20 @@ on:
 jobs:
   wasm-lz4:
     runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      # https://docs.npmjs.com/generating-provenance-statements#publishing-packages-with-provenance-via-github-actions
+      id-token: write
+
     strategy:
       fail-fast: false
       matrix:
         node-version: [14.x, 16.x, 18.x]
 
     steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
           node-version: ${{ matrix.node-version }}
           registry-url: https://registry.npmjs.org
@@ -29,6 +35,4 @@ jobs:
 
       - name: Publish to NPM
         if: ${{ startsWith(github.ref, 'refs/tags/v') && matrix.node-version == '16.x' }}
-        run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+        run: npx npm@11.7.0 publish --provenance --access public

.gitignore

@@ -1,2 +1,3 @@
 dist/
 node_modules/
+.DS_Store