fix: update napi config and workflows for OIDC trusted publishing

- Fix native/package.json to use binaryName and targets (napi v3 format)
- Add id-token: write permission for npm OIDC authentication
- Add --provenance flag for supply chain security
- Remove NPM_TOKEN dependency, use trusted publishers instead
- Add cross-compilation linker for ARM64 Linux builds
- Update to Node.js 22

Author: Helweg

.github/workflows/build.yml

@@ -1,10 +1,14 @@
-name: Build
+name: Build and Publish
 
 on:
   release:
     types: [published]
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
+
 jobs:
   build:
     strategy:
@@ -29,7 +33,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
 
       - name: Setup Rust
@@ -41,15 +45,16 @@ jobs:
         if: matrix.target == 'aarch64-unknown-linux-gnu'
         run: |
           sudo apt-get update
-          sudo apt-get install -y gcc-aarch64-linux-gnu
+          sudo apt-get install -y gcc-aarch64-linux-gnu g++-aarch64-linux-gnu
 
       - name: Install dependencies
         run: npm ci
 
       - name: Build native module
-        run: |
-          cd native
-          npx napi build --release --platform --target ${{ matrix.target }}
+        working-directory: native
+        run: npx napi build --release --platform --target ${{ matrix.target }}
+        env:
+          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
 
       - name: Upload artifact
         uses: actions/upload-artifact@v4
@@ -62,13 +67,16 @@ jobs:
     needs: build
     runs-on: ubuntu-latest
     if: github.event_name == 'release'
+    permissions:
+      contents: read
+      id-token: write
     steps:
       - uses: actions/checkout@v4
 
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
           registry-url: 'https://registry.npmjs.org'
 
@@ -88,6 +96,4 @@ jobs:
         run: ls -la native/*.node
 
       - name: Publish to npm
-        run: npm publish
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish --provenance --access public

.github/workflows/ci.yml

@@ -15,7 +15,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
 
       - name: Setup Rust
@@ -25,7 +25,10 @@ jobs:
         run: npm ci
 
       - name: Build native module
-        run: npm run build:native
+        working-directory: native
+        run: |
+          cargo build --release
+          npx napi build --release --platform
 
       - name: Build TypeScript
         run: npm run build:ts
@@ -44,7 +47,7 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: '20'
+          node-version: '22'
           cache: 'npm'
 
       - name: Install dependencies

native/package.json

@@ -2,12 +2,13 @@
   "name": "codebase-index-native",
   "version": "0.1.0",
   "napi": {
-    "name": "codebase-index-native",
-    "triples": {
-      "defaults": true,
-      "additional": [
-        "aarch64-apple-darwin"
-      ]
-    }
+    "binaryName": "codebase-index-native",
+    "targets": [
+      "x86_64-apple-darwin",
+      "aarch64-apple-darwin",
+      "x86_64-unknown-linux-gnu",
+      "aarch64-unknown-linux-gnu",
+      "x86_64-pc-windows-msvc"
+    ]
   }
 }