chore(npm): Update release npm action to stop using tokens

[gnbm]

What is the current behavior?

• Release workflows (release-dev, release-nightly, release-production) and the reusable publish-npm action still inject a long-lived NPM_TOKEN, so they do not use npm’s trusted-publisher/OIDC flow.

GitHub Issue Number: N/A

What is the new behavior?

• Configure the reusable publish-npm action to set up Node with the npm registry, upgrade npm, and publish with provenance using the OIDC credential.
• Remove .npmrc token writes from the dev and nightly workflows; they now rely solely on the reusable action.
  • Allows npm to authenticate through trusted publishing requirements docs.npmjs.com/trusted-publishers.
• Inline the same OIDC setup for the production workflow before running npm run release.ci.

Documentation

Does this introduce a breaking change?

• Yes
• No

Testing

• Not run (GitHub Actions workflow update only).

Other information

• Aligns all release workflows with npm’s trusted-publishing requirements so the branch can pass new registry enforcement.

[Copilot]

Pull Request Overview

This PR modernizes the GitHub Actions workflows for Stencil's release pipelines by updating action versions and simplifying NPM authentication configuration.

• Updates actions/checkout from v4.1.7 to v5.0.0 and actions/setup-node from an implicit usage to explicit v6.0.0 across all release workflows
• Replaces manual .npmrc token configuration with actions/setup-node registry configuration
• Adds emoji prefixes to workflow step names for improved visual scanning

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/release-production.yml	Updates action versions, replaces manual NPM token setup with actions/setup-node configuration, and adds step to ensure latest npm version
.github/workflows/release-nightly.yml	Updates action versions, adds emoji step names, and modifies token parameter name from token to github-token
.github/workflows/release-dev.yml	Updates action versions, adds emoji step names, and modifies token parameter name from token to github-token
.github/workflows/actions/publish-npm/action.yml	Removes manual .npmrc configuration, adds actions/setup-node with registry configuration, adds new inputs for node-version and registry-url, and removes token input

Comments suppressed due to low confidence (1)

.github/workflows/release-production.yml:71

• The npm run release.ci command likely performs publishing operations that require NPM authentication. Since the manual .npmrc configuration was removed, you need to add env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} to this step to ensure proper authentication when the publish scripts run.

      - name: 📦 Run Publish Scripts
        # pass the generated version number instead of the input, since we've already incremented it in the prerelease
        # step
        run: npm run release.ci -- --tag ${{ inputs.tag }}
        shell: bash

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

.github/workflows/release-production.yml:71

• The npm run release.ci command likely performs npm publish, but no NODE_AUTH_TOKEN environment variable is set on this step. After configuring actions/setup-node with registry-url at line 58, you need to provide authentication. Add env: NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} to this step, or ensure the entire job has access to this environment variable if using token-based authentication. Alternatively, if relying on OIDC with provenance (given the id-token: write permission), verify that the release.ci script properly supports this authentication method.

      - name: 📦 Run Publish Scripts
        # pass the generated version number instead of the input, since we've already incremented it in the prerelease
        # step
        run: npm run release.ci -- --tag ${{ inputs.tag }}
        shell: bash

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

.github/workflows/release-production.yml:71

• The npm run release.ci command likely performs npm publish operations but is missing the NODE_AUTH_TOKEN environment variable. When using actions/setup-node with registry-url, authentication requires setting NODE_AUTH_TOKEN in the environment.

Add an env section to this step:

- name: 📦 Run Publish Scripts
  run: npm run release.ci -- --tag ${{ inputs.tag }}
  shell: bash
  env:
    NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

      - name: 📦 Run Publish Scripts
        # pass the generated version number instead of the input, since we've already incremented it in the prerelease
        # step
        run: npm run release.ci -- --tag ${{ inputs.tag }}
        shell: bash

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull Request Overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

.github/workflows/release-production.yml:71

• The npm run release.ci command likely performs npm publish operations but is missing the required NODE_AUTH_TOKEN environment variable. Add an env section with NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} to enable authentication with the npm registry.

      - name: 📦 Run Publish Scripts
        # pass the generated version number instead of the input, since we've already incremented it in the prerelease
        # step
        run: npm run release.ci -- --tag ${{ inputs.tag }}
        shell: bash

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.