docs: align npm trusted publishing setup

.github/workflows/publish.yml

@@ -12,14 +12,19 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
-      - uses: actions/setup-node@v4
+      - uses: actions/setup-node@v6
         with:
           node-version: "24"
           registry-url: "https://registry.npmjs.org"
           package-manager-cache: false
 
+      - name: Check npm trusted publishing runtime
+        run: |
+          node --version
+          npm --version
+
       - name: Install dependencies
         run: npm install --no-audit --no-fund
 

README.md

@@ -105,10 +105,17 @@ Configure the package trusted publisher on npmjs.com with:
 - Organization or user: `useorgx`
 - Repository: `orgx-opencode-plugin`
 - Workflow filename: `publish.yml`
+- Allowed action: `npm publish`
+- Environment name: leave empty unless this workflow is later moved behind a GitHub environment
 
 The package `repository.url` must keep matching this GitHub repository exactly,
 otherwise npm trusted publishing can fail authentication.
 
+If the release workflow builds successfully but fails at `npm publish` with
+`E404` / "not found or you do not have permission", re-check the npm package's
+trusted publisher settings above. The workflow uses OIDC, so a local npm login
+is not used by GitHub Actions.
+
 ## Status
 
 Alpha. Part of the Sovereign Execution initiative (`993cabeb`).