chore: modernize GitHub Actions workflow for npm trusted publishers

[Copilot]

Overview

This PR updates the GitHub Actions workflow to comply with the 2025 npm authentication and token management changes, adopting GitHub's OIDC-based trusted publishers for enhanced security.

Changes Made

Action Version Updates

• actions/checkout: Upgraded from v2 to v5 in both main and release jobs
• actions/setup-node: Upgraded from v2 to v6 in both main and release jobs
• cycjimmy/semantic-release-action: Upgraded from v2 to v5.0.2

Node Version Modernization

• Main job matrix: Updated from [18, 20] to [lts/-1, lts/*, latest] to automatically test against previous LTS, current LTS, and latest Node.js versions
• Release job: Changed from hardcoded 20 to lts/* for automatic LTS version usage

Semantic Release Configuration

• semantic_version: Updated from 17 to 25 to use the latest semantic-release major version

Security Improvements

• Removed NPM_TOKEN: No longer required as npm releases now use GitHub's OIDC authentication
• Added explicit permissions to the release job:
  • contents: write - to publish GitHub releases
  • id-token: write - to enable OIDC for npm provenance
  • issues: write - to comment on released issues
  • pull-requests: write - to comment on released pull requests

Benefits

1. Enhanced Security: OIDC-based authentication eliminates the need for long-lived NPM tokens
2. Better Provenance: npm packages will include cryptographic provenance information
3. Automatic Version Updates: Using lts/* and latest means the workflow adapts to new Node.js versions without manual updates
4. Compliance: Aligns with npm's latest security requirements and best practices

Testing

The YAML syntax has been validated and all changes maintain the existing workflow structure without modifying unrelated logic or configurations.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update to use trusted publishers</issue_title>
<issue_description>Review and modernize this repository’s GitHub Actions workflows to comply with the 2025 npm authentication and token management changes.

Focus only on updating workflow steps and permissions, not environment configuration or unrelated logic.

Specifically:

1. Upgrade all actions/checkout steps to the latest major version (currently v5).

2. Upgrade all actions/setup-node steps to the latest major version (currently v6).

3. Update node-version values to lts/* for the release job and if there's a matrix in place for other jobs, use [lts/-1, lts/*, latest] so we don't have to keep these versions updated in the future. If it's a single node version, then lts/* alone works.

4. Upgrade cycjimmy/semantic-release-action to the latest major version (currently v5.0.2).

5. Update the semantic_version input to the current major (currently 25).

6. Remove all references to NPM_TOKEN, as npm releases now use GitHub’s OIDC authentication for provenance.

7. Add explicit permissions to the semantic-release job:

   permissions:
     contents: write # to be able to publish a GitHub release
     id-token: write # to enable use of OIDC for npm provenance
     issues: write # to be able to comment on released issues
     pull-requests: write # to be able to comment on released pull requests

Do not modify other permissions, secrets, job logic, or environment blocks unrelated to these security and release changes.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #243

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

---

Note

Updates validate workflow to latest action versions, LTS/Latest Node matrix, adds release permissions for OIDC, upgrades semantic-release, and removes NPM_TOKEN.

• CI Workflow (.github/workflows/validate.yml)
  • Actions upgrades:
    • actions/checkout v2 → v5
    • actions/setup-node v2 → v6
  • Node versions:
    • Main job matrix: [18, 20] → [lts/-1, lts/*, latest]
    • Release job: node-version: 20 → lts/*
  • Release job:
    • Added permissions: contents: write, id-token: write, issues: write, pull-requests: write
    • cycjimmy/semantic-release-action v2 → v5.0.2; semantic_version 17 → 25
    • Removed NPM_TOKEN env (using OIDC)

^{Written by Cursor Bugbot for commit 675e58c. This will update automatically on new commits. Configure here.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}