ci: switch release workflow to npm trusted publishing (OIDC)

[ryansolid]

Summary

The alpha release job has been failing with EOTP errors (example run) — npm now enforces 2FA on publishes authenticated with legacy tokens, so the NPM_PUBLISH_TOKEN secret can no longer publish from CI.

This switches the release workflow to npm trusted publishing (OIDC):

• Add permissions block with id-token: write so the job can mint an OIDC token (plus contents/pull-requests: write for the changesets release PR flow)
• Bump .nvmrc to Node 24 LTS — trusted publishing requires npm >= 11.5.1, and Node 24 bundles npm 11.x. Note changeset publish → pnpm publish → npm publish under the hood (pnpm#9812), so the runner's npm CLI is what performs the OIDC exchange.
• Pinned to 24.15.0 specifically: 24.16.0 has an extract-zip/yauzl regression (nodejs/node#63487) that hangs Playwright (< 1.60) browser installs in CI — confirmed against this very PR before pinning down. Can move forward once 24.17.0 ships the fix (or Playwright is bumped to >= 1.60).
• Remove NPM_TOKEN/NODE_AUTH_TOKEN entirely — changesets/action >= 1.7.0 supports tokenless OIDC publishing (changesets/action#545)
• Bump actions/checkout v3 → v4 (v3 runs on Node 20, which GitHub deprecates June 16, 2026)

All workflows read .nvmrc, so tests/typecheck CI moves to Node 24 with this PR (engines remain >=22).

Requires trusted publisher config on npmjs.com for both @solidjs/start and @solidjs/vite-plugin-nitro-2 (repo solidjs/solid-start, workflow release.yml, no environment, "Allow npm publish" enabled).

After merge: delete the NPM_PUBLISH_TOKEN repo secret and revoke the token on npmjs.com.

Test plan

• CI (tests/typecheck) green on Node 24.15.0 — full suite passed in 1m22s, matching main baseline
• Verify trusted publisher settings on npmjs.com for both packages
• Merge and confirm the Release workflow publishes the pending alpha without EOTP

[changeset-bot]

⚠️ No Changeset found

Latest commit: a80c6fe

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[netlify]

✅ Deploy Preview for solid-start-landing-page ready!

Name	Link
🔨 Latest commit	a80c6fe
🔍 Latest deploy log	https://app.netlify.com/projects/solid-start-landing-page/deploys/6a2b79ec5a94710008ade3dd
😎 Deploy Preview	https://deploy-preview-2157--solid-start-landing-page.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.
🤖 Make changes	Run an agent on this branch

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/solidjs/solid-start/@solidjs/start@2157

npm i https://pkg.pr.new/solidjs/solid-start/@solidjs/vite-plugin-nitro-2@2157

commit: a80c6fe