feat: use npm trusted publishing instead of NPM_TOKEN (#678)

Author: cogwirrel

.github/workflows/napi.yaml

@@ -453,6 +453,9 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 20
+          registry-url: 'https://registry.npmjs.org'
+      - name: Update npm for trusted publishing support
+        run: npm i -g npm@11.6.1
       - name: Install dependencies
         run: npm install --ignore-scripts
         working-directory: ${{ env.WORKING_DIR }}
@@ -485,17 +488,14 @@ jobs:
       - name: Publish
         if: steps.version_check.outputs.should_publish == 'true' || github.event.inputs.publish == 'true'
         run: |
-          echo "//registry.npmjs.org/:_authToken=$NPM_TOKEN" >> ~/.npmrc
-          npm config set provenance true
           LOCAL_VERSION="${{ steps.version_check.outputs.local_version }}"
           if echo "$LOCAL_VERSION" | grep -q "-"; then
             echo "Publishing $LOCAL_VERSION as next"
-            npm publish --tag next --access public
+            npm publish --tag next --access public --provenance
           else
             echo "Publishing $LOCAL_VERSION as latest"
-            npm publish --access public
+            npm publish --access public --provenance
           fi
         working-directory: ${{ env.WORKING_DIR }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}