chore: switch to npm trusted publishing, remove auto-merge workflow

- Rewrite release.yml to use OIDC trusted publishing (no NPM_TOKEN needed)
- Trigger releases on v* tag push instead of workflow_dispatch
- Provenance attestations are generated automatically
- Remove dependabot-auto-merge.yml workflow
- Add RELEASE.md with setup and publishing instructions

Author: fxOne

.changeset/eslint-10-support.md

@@ -8,3 +8,5 @@ Add ESLint 10 support. This is a breaking change — ESLint 9 is no longer suppo
 - Update peer dependency to `eslint ^10.0.0`
 - Update all dev dependencies to latest versions
 - Migrate from yarn to pnpm
+- Switch release workflow to npm trusted publishing (OIDC)
+- Remove dependabot-auto-merge workflow

.github/workflows/dependabot-auto-merge.yml

@@ -1,22 +1,29 @@
 name: Release
 
-on: workflow_dispatch
+on:
+  push:
+    tags:
+      - "v*"
+
+permissions:
+  contents: write
+  id-token: write
 
 jobs:
   release:
-    name: Release
+    name: Publish to npm
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
         with:
-          # This makes Actions fetch all Git history so that Changesets can generate changelogs with the correct commits
           fetch-depth: 0
 
-      - name: Setup Node.js 20.x
+      - name: Setup Node.js 22.x
         uses: actions/setup-node@v4
         with:
-          node-version: 20.x
+          node-version: 22.x
+          registry-url: "https://registry.npmjs.org"
 
       - name: Install pnpm
         uses: pnpm/action-setup@v4
@@ -26,13 +33,13 @@ jobs:
       - name: Install Dependencies
         run: pnpm install
 
-      - name: Create Release Pull Request or Publish to npm
-        id: changesets
-        uses: changesets/action@master
+      - name: Run Tests
+        run: pnpm test
+
+      - name: Publish to npm (trusted publishing)
+        run: npm publish --access public
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v2
         with:
-          publish: pnpm release
-          commit: 'chore(release): update monorepo packages versions'
-          title: 'Upcoming Release Changes'
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          generate_release_notes: true

.github/workflows/release.yml

@@ -0,0 +1,87 @@
+# Release Process
+
+This project uses **npm trusted publishing** with OIDC — no npm tokens are
+needed for publishing. Provenance attestations are generated automatically.
+
+---
+
+## One-Time Setup
+
+These steps only need to be done once, before the first release.
+
+### 1. Configure trusted publishing on npmjs.com
+
+1. Go to https://www.npmjs.com/package/eslint-plugin-sort-keys-shorthand/access
+2. Sign in as a package owner
+3. Scroll to **"Trusted Publisher"** and click **GitHub Actions**
+4. Fill in the form:
+   - **Organization or user:** `fxOne`
+   - **Repository:** `eslint-plugin-sort-keys-shorthand`
+   - **Workflow filename:** `release.yml`
+   - **Environment name:** _(leave empty)_
+5. Save
+
+### 2. Lock down token access (recommended)
+
+1. On the same package settings page, go to **"Publishing access"**
+2. Select **"Require two-factor authentication and disallow tokens"**
+3. Save
+
+### 3. Remove the old NPM_TOKEN secret from GitHub
+
+1. Go to https://github.com/fxOne/eslint-plugin-sort-keys-shorthand/settings/secrets/actions
+2. Delete the `NPM_TOKEN` secret (no longer needed)
+3. Optionally delete the `AUTOMERGE_TOKEN` secret as well
+   (the `dependabot-auto-merge.yml` workflow has been removed)
+
+### 4. Revoke old npm access tokens
+
+1. Go to https://www.npmjs.com/settings/~/tokens
+2. Revoke any automation/publish tokens that were previously used by CI
+
+---
+
+## Publishing a New Release
+
+### Step 1: Merge the release PR
+
+Merge the release pull request into `master` on GitHub.
+
+### Step 2: Tag the release
+
+```bash
+git checkout master
+git pull origin master
+git tag v4.0.0
+git push origin v4.0.0
+```
+
+### Step 3: Automated release
+
+Pushing the `v*` tag automatically triggers the **Release** workflow which:
+
+1. Checks out the code
+2. Installs dependencies with pnpm
+3. Runs the full test suite
+4. Publishes to npm using OIDC (no token needed)
+5. Creates a GitHub Release with auto-generated release notes
+
+### Step 4: Verify
+
+- Check the workflow run: https://github.com/fxOne/eslint-plugin-sort-keys-shorthand/actions/workflows/release.yml
+- Verify the package on npm: https://www.npmjs.com/package/eslint-plugin-sort-keys-shorthand
+- The package page should show a **"Provenance"** badge confirming the build origin
+
+---
+
+## How It Works
+
+The release workflow uses **npm trusted publishing** via OpenID Connect (OIDC):
+
+- No `NPM_TOKEN` secret is stored in GitHub
+- GitHub Actions mints a short-lived OIDC token during the workflow run
+- npm verifies the token against the trusted publisher config on npmjs.com
+- Provenance attestations are generated automatically (signed by Sigstore)
+- The OIDC token cannot be extracted, reused, or leaked
+
+For more info: https://docs.npmjs.com/trusted-publishers