chore: Update GitHub Actions workflows to use trusted publishers and latest action versions

[Copilot]

Overview

This PR modernizes the repository's GitHub Actions workflows to comply with the 2025 npm authentication and token management changes. These updates ensure secure npm publishing using GitHub's OIDC authentication instead of legacy token-based authentication.

Changes

validate.yml

• Upgraded actions/checkout from v4 to v5 (3 instances across build, e2e, and release jobs)
• Upgraded actions/setup-node from v4 to v6 (2 instances in build and e2e jobs)
• Updated node-version to use LTS aliases for future-proofing:
  • Build and E2E job matrices: [lts/-1, lts/*, latest] (previously [22, 24] and [24])
  • Release job cache key: build-lts/*-${{ github.sha }} (previously build-24-${{ github.sha }})
• Upgraded cycjimmy/semantic-release-action from v4 to v5.0.2
• Updated semantic_version input from 24 to 25 to match the latest semantic-release major version
• Removed NPM_TOKEN reference from the release job's environment variables
• Added explicit permissions to the release job to enable OIDC-based npm publishing:

  permissions:
    contents: write       # to publish GitHub releases
    id-token: write       # to enable OIDC for npm provenance
    issues: write         # to comment on released issues
    pull-requests: write  # to comment on released pull requests

auto-format.yml

• Upgraded actions/checkout from v4 to v5
• Upgraded actions/setup-node from v4 to v6
• Updated node-version from 24 to lts/* for automatic LTS tracking

Security

✅ All changes pass CodeQL security analysis with 0 alerts

The new OIDC-based authentication approach provides enhanced security by:

• Eliminating the need to manage long-lived NPM tokens
• Using short-lived, automatically rotated credentials
• Providing cryptographic proof of package provenance
• Following GitHub's recommended security best practices

Testing

• ✅ YAML syntax validated
• ✅ No breaking changes to workflow logic or job dependencies
• ✅ Existing build, test, and release processes remain unchanged

Notes

The workflows now use Node.js LTS version aliases (lts/-1, lts/*, latest) instead of hardcoded version numbers, making them future-proof and eliminating the need for manual updates when Node.js LTS versions change.

No changes were made to job logic, environment blocks, or other unrelated configurations as per the requirement to make minimal, focused updates for security and release modernization.

Fixes #264

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Update to use trusted publishers</issue_title>
<issue_description>Review and modernize this repository’s GitHub Actions workflows to comply with the [2025 npm authentication and token management changes](https://github.blog/changelog/2025-09-29-strengthening-npm-security-important-changes-to-authentication-and-token-management/).

Focus only on updating workflow steps and permissions, not environment configuration or unrelated logic.

Specifically:

1. Upgrade all actions/checkout steps to the latest major version (currently v5).

2. Upgrade all actions/setup-node steps to the latest major version (currently v6).

3. Update node-version values to the current LTS (currently 24).

4. Upgrade cycjimmy/semantic-release-action to the latest major version (currently v5.0.2).

5. Update the semantic_version input to the current major (currently 25).

6. Remove all references to NPM_TOKEN, as npm releases now use GitHub’s OIDC authentication for provenance.

7. Add explicit permissions to the semantic-release job:

   permissions:
     contents: write # to be able to publish a GitHub release
     id-token: write # to enable use of OIDC for npm provenance
     issues: write # to be able to comment on released issues
     pull-requests: write # to be able to comment on released pull requests

Do not modify other permissions, secrets, job logic, or environment blocks unrelated to these security and release changes.</issue_description>

Comments on the Issue (you are @copilot in this section)

Fixes #264

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

---

Note

Modernizes CI workflows: upgrade actions, switch Node versions to LTS aliases, and enable OIDC-based releases with updated semantic-release.

• CI Workflows
  • validate.yml:
    • Upgrade actions/checkout to v5 and actions/setup-node to v6.
    • Change Node matrix to [lts/-1, lts/*, latest]; E2E node-version to lts/*.
  • auto-format.yml:
    • Upgrade actions/checkout to v5 and actions/setup-node to v6.
    • Set node-version to lts/*.
• Release:
  • Add explicit permissions for OIDC-based publishing.
  • Update cache key to build-lts/*-${{ github.sha }}.
  • Upgrade cycjimmy/semantic-release-action to v5.0.2 and semantic_version to 25.
  • Remove NPM_TOKEN from environment.

^{Written by Cursor Bugbot for commit d1aba08. This will update automatically on new commits. Configure here.}

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[kentcdodds]

@copilot, Update node-version values to lts/* for the release job and if there's a matrix in place for other jobs, use [lts/-1, lts/*, latest] so we don't have to keep these versions updated in the future. If it's a single node version, then lts/* alone works.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (152ae6a) to head (d1aba08).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff            @@
##              main      #265   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files            4         4           
  Lines          155       155           
  Branches        52        52           
=========================================
  Hits           155       155           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

@copilot, Update node-version values to lts/* for the release job and if there's a matrix in place for other jobs, use [lts/-1, lts/*, latest] so we don't have to keep these versions updated...

Updated! Changes made in commit 2c212ca:

• Build and E2E job matrices now use [lts/-1, lts/*, latest]
• Auto-format job now uses lts/* (single version)
• Release job cache key updated to build-lts/*-${{ github.sha }}

The workflows will now automatically use the appropriate Node.js versions without manual updates.