fix(npm): bump Node to 24 so OIDC trusted publishing works

[tkrugg]

Summary

v1.10.3 and v1.10.4 releases failed at the npm publish step with:

npm notice publish Provenance statement published to transparency log
npm error 404 Not Found - PUT https://registry.npmjs.org/@algolia%2fcli-darwin-x64

The provenance step succeeded (uses OIDC directly), but the package upload failed despite trusted publishers being configured for all 7 packages.

Root cause: npm 10.x (shipped with Node 22) has an incomplete OIDC trusted-publishing implementation — it can sign provenance attestations using the GitHub Actions OIDC token, but doesn't fall through to OIDC for authenticating the actual package PUT. npm 11.6+ (shipped with Node 24) handles the flow end-to-end.

Reference: npm/cli#8730 (comment) — Jason3S confirms Node 22 doesn't work, Node 24 with npm 11.6.2 does.

Change

Single-line bump: node-version: "22" → "24".

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{TIP This summary will be updated as you push new changes.}

[Copilot]

Pull request overview

Removes registry-url from the release workflow’s actions/setup-node@v4 step to prevent setup-node from writing an .npmrc that forces broken token auth, allowing npm to fall through to OIDC trusted publishing as intended.

Changes:

• Drop registry-url: https://registry.npmjs.org from the Node setup step so setup-node doesn’t generate an auth-bearing .npmrc that blocks OIDC publishing.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.