ci: migrate npm publish to OIDC trusted publishing

.github/workflows/npmpublish.yml

@@ -56,6 +56,18 @@ jobs:
     needs:
         - test
     runs-on: ubuntu-latest
+    # OIDC trusted publishing: npm exchanges the GitHub-issued `id-token`
+    # for a short-lived publish credential at the registry, so there is no
+    # stored NPM_TOKEN to expire or rotate. `contents: write` is needed for
+    # the auto-bump commit + tag push.
+    #
+    # One-time setup on https://www.npmjs.com/package/ueberdb2/access:
+    #   Trusted Publishers → Add → Provider: GitHub Actions
+    #   Org: ether,  Repo: ueberDB,  Workflow filename: npmpublish.yml
+    #   Environment: (blank)
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v6
         with:
@@ -64,11 +76,12 @@ jobs:
       - uses: actions/setup-node@v6
         with:
           node-version: 24
+          registry-url: 'https://registry.npmjs.org'
 
       - name: Install pnpm
         uses: pnpm/action-setup@v5
         with:
-          version: 10
+          version: 11
           run_install: false
 
       - name: Get pnpm store directory
@@ -89,11 +102,6 @@ jobs:
       # version.
       - run: pnpm install --frozen-lockfile      # Workaround based on https://github.com/pnpm/pnpm/issues/3141
 
-      - name: Set publishing config
-        run: pnpm config set '//registry.npmjs.org/:_authToken' "${NODE_AUTH_TOKEN}"
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
-
       - name: Bump version (patch)
         run: |
           LATEST_TAG=$(git describe --tags --abbrev=0) || exit 1
@@ -107,22 +115,23 @@ jobs:
           git push
           git push --follow-tags
 
-      # `npm publish` must come after `git push` otherwise there is a race
-      # condition: If two PRs are merged back-to-back then master/main will be
+      # `pnpm publish` must come after `git push` otherwise there is a race
+      # condition: If two PRs are merged back-to-back then main will be
       # updated with the commits from the second PR before the first PR's
-      # workflow has a chance to push the commit generated by `npm version
+      # workflow has a chance to push the commit generated by `pnpm version
       # patch`. This causes the first PR's `git push` step to fail after the
       # package has already been published, which in turn will cause all future
       # workflow runs to fail because they will all attempt to use the same
-      # already-used version number. By running `npm publish` after `git push`,
+      # already-used version number. By running `pnpm publish` after `git push`,
       # back-to-back merges will cause the first merge's workflow to fail but
       # the second's will succeed.
       - name: Convert typescript and create dist folder
         run: pnpm run build
 
-      - run: pnpm publish
-
-      - name: Add package to etherpad organization
-        run: npm access grant read-write etherpad:developers ueberdb2
-        env:
-          NODE_AUTH_TOKEN: ${{secrets.NPM_TOKEN}}
+      # pnpm 10.4+ auto-discovers the GHA OIDC token via `id-token: write`
+      # and exchanges it with npm for a publish credential — no NPM_TOKEN
+      # secret involved. `--provenance` attaches the signed-by-GitHub
+      # attestation that npm shows on the package page.
+      # `--no-git-checks` skips the "working tree dirty" guard, which would
+      # otherwise trip on the version-bump commit that's already been pushed.
+      - run: pnpm publish --no-git-checks --provenance