ci: configure npm provenance publishing with OIDC token

Switch from NPM_TOKEN secret to id-token OIDC permission for npm
provenance support. Add Node.js setup step with registry configuration.

Author: hiddentao

.github/workflows/ci.yml

@@ -9,6 +9,7 @@ permissions:
   contents: write
   issues: write
   pull-requests: write
+  id-token: write
 
 jobs:
   build:
@@ -35,10 +36,18 @@ jobs:
       - name: Test
         run: bun test
 
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: lts/*
+          registry-url: https://registry.npmjs.org
+
+      - name: Update npm
+        run: npm install -g npm@latest
+
       - name: Release
         if: github.ref == 'refs/heads/main'
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: npx semantic-release