fix(ci): remove manual npm token setup in favor of trusted publishing and simply user experience (#104)

* fix(ci): remove manual npm token setup in favor of trusted publishing

npm trusted publishing via OIDC (id-token: write) handles authentication
without requiring a long-lived NPM_PUBLISH_TOKEN secret, eliminating the
OTP/2FA requirement that caused EOTP errors in CI.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

* feat(ci): auto-parse version from tag in publish workflow

When workflow_dispatch is triggered on a datadog-serverless-compat/v<x.y.z>
tag, the version is parsed automatically from GITHUB_REF. The version input
is required when running on a branch, and the workflow fails with a clear
error if omitted.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

---------

Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: litianningdatadog

.github/workflows/publish.yml

@@ -12,8 +12,8 @@ on:
           - 'Build'
           - 'Build and Publish'
       version:
-        description: 'NPM package version (x.y.z)'
-        required: true
+        description: 'NPM package version (x.y.z) — required when running on a branch; auto-parsed from tag when running on a datadog-serverless-compat/v<x.y.z> tag'
+        required: false
         type: string
 
 permissions:
@@ -56,9 +56,23 @@ jobs:
           name: windows-amd64
           path: target/windows-amd64
       - run: upx target/windows-amd64/datadog-serverless-compat.exe --lzma
+      - name: Determine version
+        id: determine-version
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
+        run: |
+          if [[ "$GITHUB_REF" == refs/tags/datadog-serverless-compat/v* ]]; then
+            VERSION="${GITHUB_REF#refs/tags/datadog-serverless-compat/v}"
+          elif [[ -n "$INPUT_VERSION" ]]; then
+            VERSION="$INPUT_VERSION"
+          else
+            echo "Error: version input is required when not running on a datadog-serverless-compat/v<x.y.z> tag"
+            exit 1
+          fi
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
       - name: Package binaries into npm packages
         env:
-          VERSION: ${{ inputs.version }}
+          VERSION: ${{ steps.determine-version.outputs.version }}
         run: |
           mkdir -p npm/datadog-serverless-compat-linux-x64/bin
           cp target/linux-amd64/datadog-serverless-compat npm/datadog-serverless-compat-linux-x64/bin/
@@ -91,9 +105,6 @@ jobs:
         with:
           node-version: "22.x"
           registry-url: 'https://registry.npmjs.org'
-      - run: npm config set //registry.npmjs.org/:_authToken=$NPM_PUBLISH_TOKEN
-        env:
-          NPM_PUBLISH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
       - name: Publish npm packages
         run: |
           npm publish ./npm/datadog-serverless-compat-linux-x64 --provenance --access public