fix: GHA - use npm provenance

Author: andrew-polk

.github/workflows/release.yml

@@ -1,5 +1,10 @@
 name: Build-Test-Release
 
+permissions:
+    contents: write
+    id-token: write
+    actions: write
+
 on:
     push:
         branches:
@@ -19,6 +24,11 @@ jobs:
               with:
                   # Keep in sync with volta -> node version in package.json
                   node-version: 20
+                  registry-url: https://registry.npmjs.org
+                  cache: yarn
+
+            - name: Ensure npm supports OIDC
+              run: npm i -g npm@latest
 
             - name: Install dependencies
               run: yarn
@@ -30,7 +40,7 @@ jobs:
                   dry_run: true
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  NPM_CONFIG_PROVENANCE: true
 
             - name: Update version in package.json
               if: steps.next_version.outputs.new_release_version
@@ -64,7 +74,7 @@ jobs:
               uses: cycjimmy/semantic-release-action@v4
               env:
                   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-                  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+                  NPM_CONFIG_PROVENANCE: true
 
             - name: Trigger dependent builds if release published
               if: steps.semantic_release.outputs.new_release_published == 'true'