ci: switch release workflow to npm Trusted Publishing (OIDC)

[1337mus]

Security enabled a Trusted Publisher for phantom/react-native-fast-image + release.yml (keyless OIDC). This switches the workflow to use it: adds id-token: write, removes the NPM_PUBLISH_TOKEN env, and upgrades npm to a Trusted-Publishing-capable version (>= 11.5.1). Unblocks publishing 8.6.6.

Summary by CodeRabbit

Chores / CI-CD

• Updated the npm publishing pipeline to use npm Trusted Publishing with GitHub OIDC (keyless), removing reliance on a stored publish token.
• Adjusted workflow permissions and publishing prerequisites, including an npm version update and improved provenance-related package metadata handling.

Documentation

• Updated package links (homepage, bugs, and repository) to point to the correct GitHub repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 326a7644-d9b6-400e-9168-333cb13edf7a

📥 Commits

Reviewing files that changed from the base of the PR and between 0406605 and b9fbb04.

📒 Files selected for processing (1)

• .github/workflows/release.yml

🚧 Files skipped from review as they are similar to previous changes (1)

• .github/workflows/release.yml

---

📝 Walkthrough

Walkthrough

The release workflow for @phantom/react-native-fast-image is updated to use npm Trusted Publishing via GitHub OIDC instead of a stored NODE_AUTH_TOKEN secret. Header comments are revised, id-token: write permission is added, an npm upgrade step is inserted to meet version requirements on Node 20, repository metadata is restored on the built package.json for provenance validation, and the publish command no longer injects a secret token. Package.json repository metadata links are updated to reference the phantom organization.

Changes

npm OIDC Trusted Publishing Migration

Layer / File(s)	Summary
OIDC permissions and header comments .github/workflows/release.yml	Header comments are rewritten to document the Trusted Publishing (OIDC/keyless) setup and its prerequisites. id-token: write is added to workflow-level permissions to enable OIDC token exchange.
npm upgrade and keyless publish step .github/workflows/release.yml	An npm upgrade step is added to satisfy the npm >= 11.5.1 requirement on Node 20. Repository metadata is restored on the built package.json for provenance validation. The publish step runs npm publish --access public without NODE_AUTH_TOKEN, authenticating via OIDC instead.

Repository Metadata Update

Layer / File(s)	Summary
GitHub repository references package.json	The homepage, bugs.url, and repository.url fields are updated to point to the phantom/react-native-fast-image GitHub repository.

Possibly related PRs

• phantom/react-native-fast-image#3: Introduced the same .github/workflows/release.yml file with the original secret-based NODE_AUTH_TOKEN publish flow that this PR replaces with OIDC Trusted Publishing.

Suggested reviewers

• steven-phantom

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly summarizes the main change: switching the release workflow to npm Trusted Publishing with OIDC authentication, which aligns with the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch raj/trusted-publishing

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/release.yml (1)

40-42: 🧹 Nitpick | 🔵 Trivial | ⚡ Quick win

Consider adding --provenance for supply chain attestations.

npm Trusted Publishing supports generating provenance attestations that cryptographically link the published package to this GitHub repository and workflow. This is a recommended supply chain security practice.

      # No NODE_AUTH_TOKEN: npm exchanges the GitHub OIDC token via the Trusted Publisher.
      - name: Publish
-        run: npm publish --access public
+        run: npm publish --access public --provenance

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/release.yml around lines 40 - 42, The npm publish command
in the Publish step is missing the `--provenance` flag which generates
cryptographic supply chain attestations. Modify the run command that contains
`npm publish --access public` to add the `--provenance` flag to the npm publish
command, enabling provenance attestations that link the published package to the
GitHub repository and workflow for enhanced supply chain security.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/release.yml:
- Around line 40-42: The npm publish command in the Publish step is missing the
`--provenance` flag which generates cryptographic supply chain attestations.
Modify the run command that contains `npm publish --access public` to add the
`--provenance` flag to the npm publish command, enabling provenance attestations
that link the published package to the GitHub repository and workflow for
enhanced supply chain security.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 97bae626-9f89-4594-a8e8-862b13e711c4

📥 Commits

Reviewing files that changed from the base of the PR and between bf595e6 and c921212.

📒 Files selected for processing (1)

• .github/workflows/release.yml