fix: Use GITHUB_TOKEN for release-please and enable npm provenance

[Copilot]

The release workflow was using a PAT (UUID_RELEASE_PLEASE_TOKEN) for release-please-action, which doesn't work with npm trusted publishing. The workflow also lacked the --provenance flag needed to generate signed attestations via OIDC — the missing piece for the npm Provenance badge.

Changes

• .github/workflows/release-please.yml
  • Replace PAT with secrets.GITHUB_TOKEN for release-please-action (its intended default)
  • Add --provenance flag to npm publish, enabling OIDC-based attestation via the existing id-token: write permission

- token: ${{ secrets.UUID_RELEASE_PLEASE_TOKEN }}
+ token: ${{ secrets.GITHUB_TOKEN }}

- run: npm publish
+ run: npm publish --provenance

No npm access token is required — the id-token: write permission (already present) supplies the OIDC token that npm uses to verify and record provenance.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[BUG] Trusted Publishing Misconfiguration</issue_title>
<issue_description>### Before you begin...

• I have searched the existing issues
• My issue title is descriptive and specific to the problem (i.e. search-engine friendly)
• I understand what an "MRE" is, and why providing one is important. (If not, read this)

MRE and Description

Hello,

It appears that you have attempted to implement trusted publishing with a PAT secret. Trusted publishing leverages the secrets.GITHUB_TOKEN instead so that Github manages the entire process for the publishing.

Looking into Google's release-please their default token is set to this Github token:

Please let me know if you have any questions or need any assistance on changing the token.

Environment

Github Actions</issue_description>

Comments on the Issue (you are @copilot in this section)

@broofa Please elaborate on what exactly needs to be done differently.

My understanding is that the GITHUB_TOKEN isn't required for trusted publishing. I've setup this repo per the NPM instructions.

@broofa `uuid` hasn't been published since I added the Trusted Publishing workflow, which may explain why the **Provenance** badge doesn't show up on the NPM page.

Forgive my ignorance here, but I don't see GITHUB_TOKEN referenced anywhere in your test repository.

• Fixes [BUG] Trusted Publishing Misconfiguration #924

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[broofa]

@Cevan00: Can you confirm these changes make sense based on your experience?

[Cevan00]

Hi @broofa ,

Yes this looks accurate. I appreciate your attention to the matter!