fix: set up releasing with trusted publishing

Author: limonte

.github/workflows/ci.yml

@@ -10,10 +10,22 @@ jobs:
   build:
     if: "!contains(github.event.commits[0].message, '[skip ci]')"
     runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write # to be able to publish a GitHub release
+      issues: write # to be able to comment on released issues
+      pull-requests: write # to be able to comment on released pull requests
+      id-token: write # to enable use of OIDC for trusted publishing and npm provenance
 
     steps:
     - uses: actions/checkout@v5
 
+    # because npm 10.8.2 (default) doesn't work with trusted publishing, 11.6.2 works
+    - name: Setup Node.js
+      uses: actions/setup-node@v4
+      with:
+        node-version: 'lts/*'
+
     - name: Install npm dependencies
       run: yarn install
 
@@ -38,6 +50,5 @@ jobs:
     - name: Run automated release process with semantic-release
       if: github.event_name == 'push' && contains(github.ref, 'main')
       env:
-        GH_TOKEN: ${{ secrets.GH_TOKEN }}
-        NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       run: yarn semantic-release