chore: update workflow to use trusted publishing

[UziTech]

Description

Update release workflow to use tested publishing instead of the NPM_TOKEN which is deprecated.

Contributor

• Test(s) exist to ensure functionality and minimize regression (if no tests added, list tests covering this PR); or,
• no tests required for this PR.
• If submitting new feature, it has been documented in the appropriate places.

Committer

In most cases, this should be a different person than the contributor.

• CI is green (no forced merge required).
• Squash and Merge PR following conventional commit guidelines.

[vercel]

@UziTech is attempting to deploy a commit to the MarkedJS Team on Vercel.

A member of the Team first needs to authorize it.

[gemini-code-assist]

Summary of Changes

Hello @UziTech, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request focuses on a significant update to the project's release workflow, transitioning to a more secure and recommended 'trusted publishing' model. This change necessitates updates to various core dependencies, particularly npm and GitHub Actions-related packages, to ensure compatibility and leverage the new security features. The overall goal is to modernize the publishing process and improve its integrity.

Highlights

• Trusted Publishing Adoption: The primary change is the migration of the release workflow to utilize trusted publishing, replacing the deprecated NPM_TOKEN for enhanced security and modern best practices.
• Dependency Updates: Key dependencies, including @actions/core, @actions/http-client, and the core npm package, have been updated to their latest versions, bringing numerous sub-dependency updates.
• Peer Dependency Flag: The "peer": true flag has been added to several development dependencies within package-lock.json, clarifying their role as peer dependencies.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/tests.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

The pull request updates the package-lock.json file, reflecting various dependency updates across several @actions, @npmcli, and @sigstore packages. This is a positive step towards updating the release workflow to use trusted publishing. Notably, there are major version bumps for common-ancestor-path and lru-cache within the npm dependency tree, which also involve changes in their licenses. It is important to ensure these major version updates do not introduce breaking changes and that the new licenses are compatible with the project's licensing policy.

[gemini-code-assist]

The common-ancestor-path dependency has been updated from version 1.0.1 to 2.0.0, which is a major version bump. Additionally, its license has changed from ISC to BlueOak-1.0.0. Please confirm that this major version update does not introduce any breaking changes and that the new license is compatible with our project's licensing requirements.

[gemini-code-assist]

The common-ancestor-path dependency, specifically the bundled version within npm, has been updated from 1.0.1 to 2.0.0, and its license changed from ISC to BlueOak-1.0.0. As this is a major version change and a license update, please verify compatibility and ensure the new license is acceptable.

[gemini-code-assist]

The lru-cache dependency, bundled within npm, has had its license changed from ISC to BlueOak-1.0.0. Please ensure this license change is compatible with our project's licensing policy.