chore(release): switch to npm trusted publishing

Author: timrichardson

.github/workflows/release.yml

@@ -6,17 +6,17 @@ on:
       - "v*"
 
 permissions:
-  contents: write
+  contents: read
   id-token: write
 
 jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
+      - uses: actions/checkout@v6
+      - uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
           registry-url: https://registry.npmjs.org
           cache: npm
       - run: npm ci
@@ -44,9 +44,7 @@ jobs:
             echo "Tag version ${{ steps.meta.outputs.version }} does not match package.json version $package_version" >&2
             exit 1
           fi
-      - run: npm publish --access public --tag "${{ steps.meta.outputs.dist_tag }}" --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+      - run: npm publish --access public --tag "${{ steps.meta.outputs.dist_tag }}"
       - uses: softprops/action-gh-release@v2
         with:
           generate_release_notes: true

README.md

@@ -63,12 +63,19 @@ The repository includes GitHub Actions templates for CI and npm publishing from
 
 ## GitHub Actions setup
 
-Set this repository secret for automated npm publishing:
+Configure npm Trusted Publishing for this package:
 
-- `NPM_TOKEN`
+1. Open the `opencode-planner` package settings on npm.
+2. Add a GitHub Actions trusted publisher.
+3. Use:
+   - GitHub user/org: `timrichardson`
+   - Repository: `opencode-planner`
+   - Workflow filename: `release.yml`
 
 The release workflow publishes prerelease tags like `v0.1.1-beta.1` to the npm `beta` dist-tag, stable tags like `v0.1.1` to `latest`, and creates matching GitHub release notes automatically.
 
+Trusted Publishing uses GitHub OIDC and does not require an `NPM_TOKEN` secret for publishing.
+
 ## License
 
 MIT