fix publish workflow for pure OIDC Trusted Publishing

- Remove registry-url from setup-node (it creates .npmrc with token auth)
- Remove NODE_AUTH_TOKEN env var entirely
- Upgrade npm to latest (>= 11.5.1 required for Trusted Publishing)
- Use Node 22.x for publish job
- Remove --provenance flag (automatic with Trusted Publishing)
- Fix repository.url in package.json for provenance validation

Co-Authored-By: Claude Opus 4.6 <[email protected]>

Author: beefo

.github/workflows/publish.yml

@@ -1,15 +1,14 @@
 # Publishes the package to npm when a GitHub Release is created.
-# Uses a Granular Access Token for auth + OIDC for provenance attestation.
+# Uses npm Trusted Publishing (OIDC) — no access token needed.
 #
-# Setup:
-# 1. Create a Granular Access Token on npmjs.com:
-#    Settings → Access Tokens → Generate New Token → Granular Access Token
-#    Scope it to read+write on the mg-api-js package only
-# 2. Add it as a GitHub repository secret named NPM_TOKEN:
-#    Settings → Secrets and variables → Actions → New repository secret
-# 3. (Optional) Configure Trusted Publishing on npmjs.com for provenance:
-#    https://www.npmjs.com/package/mg-api-js/access → Trusted Publishing
-#    Repository owner: Geotab, Repository: mg-api-js, Workflow: publish.yml
+# Setup (one-time on npmjs.com):
+# 1. Go to https://www.npmjs.com/package/mg-api-js/access
+# 2. Under "Publishing access" → Configure Trusted Publishing
+# 3. Add a new trusted publisher:
+#    - Repository owner: Geotab
+#    - Repository name: mg-api-js
+#    - Workflow filename: publish.yml
+#    - Environment: (leave blank)
 #
 # Usage:
 # 1. Bump the version:  npm version patch|minor|major
@@ -37,8 +36,10 @@ jobs:
     - name: Setup Node.js
       uses: actions/setup-node@v4
       with:
-        node-version: 20.x
-        registry-url: https://registry.npmjs.org
+        node-version: 22.x
+
+    - name: Upgrade npm for Trusted Publishing
+      run: npm install -g npm@latest
 
     - name: Install dependencies
       run: npm ci
@@ -58,7 +59,5 @@ jobs:
           exit 1
         fi
 
-    - name: Publish to npm with provenance
-      run: npm publish --provenance --access public
-      env:
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+    - name: Publish to npm
+      run: npm publish --access public

package.json

@@ -19,7 +19,7 @@
     "test:node": "npm run mocha:node"
   },
   "repository": {
-    "url": "https://github.com/Geotab/mg-api-js",
+    "url": "git+https://github.com/Geotab/mg-api-js.git",
     "type": "git"
   },
   "license": "MIT",