ci: trusted publishing

[petar-omni]

This pull request updates the release workflow to improve npm publishing security and compatibility. The main changes are updating npm to the latest version and switching to OIDC-based authentication for npm publishing.

Release workflow improvements:

• Updated the workflow to install the latest version of npm to ensure compatibility with trusted publishing requirements.
• Changed npm authentication to use OIDC instead of an NPM_TOKEN, following best practices for secure publishing.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 4940394

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Review	Updated (UTC)
dashboard-finery	Ready	Preview, Comment	Jan 19, 2026 0:05am
dashboard-utila	Ready	Preview, Comment	Jan 19, 2026 0:05am
staging-widget	Ready	Preview, Comment	Jan 19, 2026 0:05am
stakekit-widget	Ready	Preview, Comment	Jan 19, 2026 0:05am

[Copilot]

Pull request overview

This PR updates the release workflow to implement OIDC-based authentication for npm publishing (trusted publishing) instead of using a token-based approach. The changes aim to improve security by removing the need for storing an NPM_TOKEN secret.

Changes:

• Install latest npm version to meet trusted publishing requirements (minimum npm 11.5.1)
• Remove NPM_TOKEN secret usage and set it to empty string to enable OIDC authentication

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This implementation is incomplete for OIDC-based npm publishing. The workflow is missing the required id-token: write permission in the permissions section (lines 14-16). Without this permission, the GitHub Actions workflow cannot request an OIDC token, and npm publishing will fail.

Additionally, you may need to configure provenance settings. Consider adding an .npmrc file or updating package.json publishConfig with provenance: true to enable npm provenance, which generates signed attestations of where and how the package was built.

[Copilot]

The comment mentions npm version 11.5.1 as the requirement, but the installation command uses npm@latest. This could potentially install a future version with breaking changes or regressions. Consider pinning to a specific minimum version that's known to work (e.g., npm@11.5.1 or npm@^11.5.1) to ensure reproducible builds and avoid unexpected issues from future npm releases.

Suggested change

	run: npm install -g npm@latest
	run: npm install -g npm@11.5.1