npm trusted publishing

Author: ssxv

.github/workflows/prebuild-and-publish.yml

@@ -94,8 +94,16 @@ jobs:
     name: Create release and publish
     runs-on: ubuntu-latest
     needs: build-prebuilds
+    permissions:
+      contents: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
       - name: Download artifacts
         uses: actions/download-artifact@v4
         with:
@@ -109,13 +117,5 @@ jobs:
           generate_release_notes: true
         env:
           GITHUB_TOKEN: ${{ secrets.RELEASE_TOKEN }}
-      - name: Authenticate to npm
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          # Write a temporary .npmrc so npm publish is authenticated on the runner
-          echo "//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}" > ~/.npmrc
-
       - name: Publish to npm
-        run: |
-          npm publish --access public --ignore-scripts
+        run: npm publish --access public --provenance --ignore-scripts