ci(github-actions): enable OIDC and trusted publishing for npm release workflow

Author: johaven

.github/workflows/release.yml

@@ -6,6 +6,9 @@ on:
 jobs:
   create-release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
 
     steps:
       - name: Checkout code
@@ -35,17 +38,15 @@ jobs:
       - name: Docker Build & Push (multi-arch)
         run: npm run docker:buildx
 
-      # Publish to NPM
+      # Publish to NPM (OIDC / Trusted Publishing)
       - name: Setup Node for npmjs
         uses: actions/setup-node@v4
         with:
           node-version: 22
           registry-url: 'https://registry.npmjs.org/'
       - name: Publish to npmjs.org
         working-directory: release/sync-in-server
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npm publish
+        run: npm publish --provenance
 
       - name: Extract changelog for current version
         id: changelog