chore: update to publish on github release with npm trusted publishing

.github/workflows/publish.yml

@@ -0,0 +1,28 @@
+name: publish
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  npm:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      packages: write
+    steps:
+      - uses: actions/checkout@v4
+      - name: node
+        uses: actions/setup-node@v3
+        with:
+          node-version-file: ".nvmrc"
+          registry-url: "https://registry.npmjs.org"
+          cache: npm
+
+      - name: Set version from release tag
+        run: npm version "${GITHUB_REF_NAME#v}" --no-git-tag-version
+      - name: Install Dependencies
+        run: npm ci
+      - name: Publish
+        run: npm publish --access public

docs/RELEASE.md

@@ -0,0 +1,35 @@
+# Release Process
+
+## Overview
+
+Publishing a new version of `@atomicfi/transact-javascript` to npm is driven entirely by GitHub Releases. No manual version bumps or npm commands are needed.
+
+## How to Release
+
+1. **Create a GitHub Release** in the [atomicfi/atomic-transact-javascript](https://github.com/atomicfi/atomic-transact-javascript) repository.
+2. **Set the tag** to the desired version (e.g., `3.0.11` or `v3.0.11`). A leading `v` prefix is automatically stripped.
+3. **Publish the release.** This triggers the `publish` workflow.
+
+## What Happens
+
+When a release is published, the [publish workflow](../.github/workflows/publish.yml) runs the following steps:
+
+1. **Set version** - `npm version` updates `package.json` to match the release tag.
+2. **Install dependencies** - `npm ci` installs dependencies from the lockfile.
+3. **Publish to npm** - `npm publish` publishes the package. Before publishing, the `prepublishOnly` script automatically:
+   - Runs `scripts/update-version.js` to replace the `__VERSION__` placeholder in `index.js` with the release version.
+   - Runs `tsc` to generate TypeScript declaration files.
+
+## npm Trusted Publishing
+
+This repository uses [npm trusted publishing](https://docs.npmjs.com/generating-provenance-statements) (also known as provenance-based publishing) to authenticate with npm. Instead of storing a long-lived npm access token, the workflow uses GitHub Actions' OIDC `id-token: write` permission to request a short-lived token directly from npm. This means:
+
+- No manual npm token rotation is required.
+- Published packages include provenance statements linking them back to this repository and the specific workflow run.
+- Only this repository's GitHub Actions workflows can publish to the `@atomicfi/transact-javascript` package.
+
+## Notes
+
+- The release tag is the single source of truth for the published version.
+- There is no need to manually update the version in `package.json` or `index.js`.
+- The workflow only triggers on the `release: published` event.