feat: add npm trusted publishing with OIDC authentication

[ls-ramos]

Success criteria

• Packages can be published to npm using OIDC authentication (trusted publishing)
• No long-lived npm tokens are required in GitHub secrets
• Provenance attestations are automatically generated for published packages

How to test

1. Configure trusted publisher on npmjs.com for this package:
   • Organization: Cognigy
   • Repository: Webchat
   • Workflow filename: publish.yml
2. Merge this PR and create a release
3. Verify the package is published successfully without npm_token

Security

• Possible injection vector
• Authentication/Access controls touched
• Sensitive Data could be exposed
• XSS
• Logging/Monitoring touched
• Exchanges data with external systems
• No security implications

Additional considerations

• This PR might have performance implications

Documentation Considerations

These are hints for the documentation team to help write the docs.

[Copilot]

Pull request overview

This PR migrates the npm publishing workflow from using long-lived authentication tokens to OIDC-based trusted publishing, eliminating the need to store npm credentials in GitHub secrets while automatically generating provenance attestations.

Changes:

• Implements OIDC authentication for npm trusted publishing with required permissions
• Removes manual .npmrc configuration and npm token handling
• Updates Node.js version from 22.x to 24.x

[graymalkin77]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 7 changed files in this pull request and generated 2 comments.