fix(ci): drop registry-url from setup-node so wasm publish uses OIDC

[goldmedal]

Summary

After #2232 the wasm publish job still failed with:

npm error 404 Not Found - PUT https://registry.npmjs.org/@wrenai%2fwren-core-wasm
npm error 404  The requested resource '@wrenai/wren-core-wasm@0.2.0-rc.1' could not be found or you do not have permission to access it.

```
npm warn Unknown user config "always-auth". This will stop working in the next major version of npm.
```

Root cause

actions/setup-node@v4 with registry-url: https://registry.npmjs.org writes an .npmrc containing:

//registry.npmjs.org/:_authToken=${NODE_AUTH_TOKEN}
always-auth=true

After we removed NODE_AUTH_TOKEN for Trusted Publishing, the placeholder interpolates to an empty string. npm CLI then publishes with an empty bearer token instead of negotiating OIDC and the registry returns 404 / no permission. The always-auth warning above is from that same auto-generated .npmrc.

Per npm's Trusted Publishers announcement:

When publishing on a configured trusted publisher, run npm publish in CI without any token or _authToken settings.

Fix

Drop registry-url from setup-node. With no .npmrc written, npm uses its default registry (https://registry.npmjs.org/) and detects the GitHub Actions OIDC environment to perform Trusted Publishing.

Test plan

• Re-dispatch RC Release with component=wren-core-wasm and confirm publish succeeds via OIDC.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated Node.js runtime to version 24 in build infrastructure.
  • Enhanced publishing security by refining authentication token handling during the release process.
  • Upgraded npm to the latest version to ensure compatibility with publishing prerequisites.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 94fadd5a-5036-49fc-a7a0-8205e5b5bb62

📥 Commits

Reviewing files that changed from the base of the PR and between 4662505 and 9dfe956.

📒 Files selected for processing (1)

• .github/workflows/publish-wren-core-wasm.yml

---

Walkthrough

The GitHub Actions workflow for publishing Wren Core WASM is updated to remove explicit npm registry authentication configuration and pin Node.js to version 24, relying instead on OIDC-based Trusted Publishing without auto-writing .npmrc auth tokens.

Changes

CI Workflow Authentication Configuration

Layer / File(s)	Summary
Node.js Setup & Auth Configuration .github/workflows/publish-wren-core-wasm.yml	Remove registry-url configuration from Node.js setup; add clarifying comments explaining that the step must not auto-write .npmrc with _authToken or always-auth=true to avoid interference with OIDC Trusted Publishing. Node version pinned to 24.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fix(ci): read next-release version from release-please branch in rc-release #2232: Modifies the same workflow file to pin Node.js v24 and transition from token-based npm authentication to OIDC-based Trusted Publishing.

Suggested labels

ci, wasm

Suggested reviewers

• PaulChen79
• grieve54706

Poem

🐰 The token is gone, OIDC's the way,
No more .npmrc secrets on display,
Node twenty-four steady, npm stands tall,
Trusted Publishing handles it all! 📦✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly describes the main fix: removing registry-url from setup-node to enable OIDC-based publishing, which matches the core change in the workflow file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/wasm-trusted-publishing-npmrc

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}