ci: add provenance attestation to npm publish

.github/workflows/release.yml

@@ -72,6 +72,9 @@ jobs:
   publish-npm:
     runs-on: ubuntu-latest
     needs: goreleaser
+    permissions:
+      contents: read
+      id-token: write  # Required for npm provenance/trusted publishing
     steps:
       - name: Checkout
         uses: actions/checkout@v6
@@ -83,19 +86,11 @@ jobs:
           registry-url: 'https://registry.npmjs.org'
 
       - name: Publish to npm
+        run: |
+          cd npm-package
+          npm publish --access public --provenance
         env:
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: |
-          if [ -z "$NODE_AUTH_TOKEN" ]; then
-            echo "::warning::NPM_TOKEN not set - skipping npm publish"
-            echo "To enable automatic npm publishing:"
-            echo "1. Create an npm access token with publish permissions"
-            echo "2. Add it as NPM_TOKEN in repository secrets"
-            exit 0
-          fi
-
-          cd npm-package
-          npm publish --access public
 
   update-homebrew:
     runs-on: ubuntu-latest