Switch to npm OIDC trusted publishing

- Add id-token: write permission for OIDC authentication
- Upgrade Node.js 18 → 22 for npm compatibility
- Install latest npm (≥11.5.1) for OIDC support
- Use npm publish --provenance for attestations
- Remove NPM_TOKEN dependency (no longer needed)

Author: iamfiscus

.github/workflows/ci-cd.yml

@@ -54,6 +54,7 @@ jobs:
     permissions:
       contents: write
       packages: write
+      id-token: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -63,9 +64,12 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '18'
+          node-version: '22'
           registry-url: 'https://registry.npmjs.org'
 
+      - name: Install latest npm for OIDC support
+        run: npm install -g npm@latest
+
       - name: Install dependencies
         run: npm ci
 
@@ -110,6 +114,4 @@ jobs:
           generate_release_notes: true
 
       - name: Publish to npm
-        run: npm publish --access public
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --provenance --access public