ci: migrate to trusted publishing

Author: frantic1048

.github/workflows/ci.yml

@@ -76,6 +76,9 @@ jobs:
     if: ${{ always() && !failure() && !cancelled() }}
     needs: check-beachball-changefile
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
     steps:
       - uses: actions/checkout@v4
       - uses: pnpm/action-setup@v4
@@ -91,19 +94,15 @@ jobs:
       - name: Publish (development)
         if: github.repository == 'RightCapitalHQ/php-parser' && github.base_ref == github.event.repository.default_branch
         env:
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
+          HEAD_REF: ${{ github.head_ref }}
         run: |
-          npm config set //registry.npmjs.org/:_authToken "${NPM_TOKEN}"
           preid="${HEAD_REF//\//-}".${{ github.run_number }}.${{ github.run_attempt }}
           npm --no-git-tag-version version prerelease --preid="${preid}"
           pnpm publish --no-git-checks --access public --tag development
 
       - name: Publish (main)
         if: github.repository == 'RightCapitalHQ/php-parser' && github.ref_name == github.event.repository.default_branch
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
         run: |
-          npm config set //registry.npmjs.org/:_authToken "${NPM_TOKEN}"
           git config --local user.email "npm-publisher@rightcapital.com"
           git config --local user.name "GitHub Actions[bot]"
           pnpm beachball publish --access public --yes -m 'chore(release): applying package updates'

.node-version

@@ -1 +1 @@
-22.17.1
+24.10.0

change/@rightcapital-php-parser-9db5dd01-369b-4e20-b50a-d29fb6c573d3.json

@@ -0,0 +1,7 @@
+{
+  "comment": "ci: migrate to trusted publishing",
+  "type": "none",
+  "packageName": "@rightcapital/php-parser",
+  "email": "im@pyonpyon.today",
+  "dependentChangeType": "none"
+}