Upgrade GitHub Actions to version 4

[gracepark]

Part of: https://github.com/github/web-systems/issues/4309

OIDC migration

[Copilot]

Pull request overview

Updates the release publishing workflow to newer GitHub Actions versions and adjusts the Node/npm publishing setup as part of an OIDC migration effort.

Changes:

• Upgraded actions/checkout and actions/setup-node from v3 to v4 in the publish workflow.
• Bumped the publish workflow Node version from 22 to 24.
• Removed npm token-based authentication from the npmjs publish step (implying an OIDC/trusted publishing flow).

Show a summary per file

File	Description
.github/workflows/publish.yml	Upgrades checkout/setup-node actions to v4, bumps Node version, and changes publishing auth behavior for npm/GitHub Packages.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comments suppressed due to low confidence (3)

.github/workflows/publish.yml:27

• The npm publish step no longer provides any registry credentials (NODE_AUTH_TOKEN was removed). Unless this package has npm Trusted Publishing (OIDC) configured on npmjs.com, npm publish will be unauthenticated and fail. If Trusted Publishing isn’t configured, re-introduce an auth token (e.g., NODE_AUTH_TOKEN from a secret) for the publish step; if it is configured, consider adding a short note/guard to make the dependency on OIDC explicit to avoid future breakage.

      - run: npm version ${TAG_NAME} --git-tag-version=false
        env:
          TAG_NAME: ${{ github.event.release.tag_name }}
      - run: npm --ignore-scripts publish --provenance --access public

.github/workflows/publish.yml:42

• In this job, actions/setup-node is configuring the GitHub Packages registry (npm.pkg.github.com), but there is no NODE_AUTH_TOKEN (or other npm auth) provided anywhere in the job. Since setup-node typically writes an .npmrc that references NODE_AUTH_TOKEN, the later npm publish is likely to fail with 401 unless auth is injected elsewhere. Consider setting NODE_AUTH_TOKEN for the job/publish step (commonly ${{ github.token }} / ${{ secrets.GITHUB_TOKEN }}) or otherwise explicitly configuring npm auth for this registry.

      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4
        with:
          node-version: 24
          registry-url: https://npm.pkg.github.com
          cache: npm
          scope: '@github'

.github/workflows/publish.yml:16

• PR title suggests upgrading GitHub Actions to v4, but only publish.yml is updated here; .github/workflows/test.yml still uses actions/checkout@v3 and actions/setup-node@v3. If the intent is a repo-wide Actions v4 upgrade, consider updating the other workflows as well (or adjust the PR title/scope to match).

      - uses: actions/checkout@v4
      - uses: actions/setup-node@v4

• Files reviewed: 1/1 changed files
• Comments generated: 1