chore: test trusted publishing (#1397)

<!--🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅

You can expedite processing of your PR by using this template to provide
context
and additional information. Before actually opening a PR please make
sure that it
does NOT fall into any of the following categories

🚫 Spam PRs (accidental or intentional) - these will result in a 30-days
or even
∞ ban from interacting with the project depending on reoccurrence and
severity.

🚫 Lazy typo fixing PRs - if you fix a typo in a file, your PR will only
be merged
if all other typos in the same file are also fixed with the same PR

🚫 If you fail to provide any _Description_ below, your PR will be
considered spam.
If you do not check the _Affirmation_ box below, your PR will not be
merged.

🚫 If you do not check one of the _AI Tool Disclosure_ boxes below, your
PR will
not be merged. If you used AI tools to assist you in writing code, but
fail to
provide the required disclosure, your PR will not be merged.

🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅🔅-->

### Description

<!-- ✍️-->
A clear and concise summary of the change and which issue (if any) it
fixes. Should also include relevant motivation and context.

Resolves or fixes issue: <!-- ✍️ Add GitHub issue number in format
`#0000` or `none` -->

### AI Tool Disclosure

- [x] My contribution does not include any AI-generated content
- [ ] My contribution includes AI-generated content, as disclosed below:
  - AI Tools: `[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie etc.]`
- LLMs and versions: `[e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro
etc.]`
- Prompts: `[Summarize the key prompts or instructions given to the AI
tools]`

### Affirmation

- [x] My code follows the
[CONTRIBUTING.md](https://github.com/CycloneDX/cyclonedx-javascript-library/blob/main/CONTRIBUTING.md)
guidelines

---------

Signed-off-by: Jan Kowalleck <jan.kowalleck@gmail.com>
Signed-off-by: jkowalleck <jkowalleck@users.noreply.github.com>
Co-authored-by: jkowalleck <jkowalleck@users.noreply.github.com>

Author: jkowalleck

.github/workflows/release.yml

@@ -35,7 +35,7 @@ env:
   REPORTS_DIR: CI_reports
   PACKED_DIR: CI_packed
   PACKED_ARTIFACT: packed
-  NODE_ACTIVE_LTS: "24"
+  NODE_ACTIVE_LTS: "24"  # https://nodejs.org/en/about/releases/
 
 jobs:
   bump:
@@ -57,22 +57,20 @@ jobs:
         run: |
           set -eux
           git config --local user.email "${GITHUB_ACTOR}@users.noreply.github.com"
-          git config --local user.name  "${GITHUB_ACTOR}"
+          git config --local user.name "${GITHUB_ACTOR}"
       - name: Setup Node.js ${{ env.NODE_ACTIVE_LTS }}
         # see https://github.com/actions/setup-node
         uses: actions/setup-node@v6
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
-      - name: update npm
-        run: npm install -g npm@latest
       ## ! no npm build at the moment
       - name: bump VERSION
         id: bump
         run: |
           set -eux
           COMMIT_SIG="Signed-off-by: $(git config user.name) <$(git config user.email)>"
-          VERSION="$( npm version "$NPMV_NEWVERSION" --message "$NPMV_MESSAGE"$'\n\n'"$COMMIT_SIG" --preid "$NPMV_PREID" )"
+          VERSION="$(npm version "$NPMV_NEWVERSION" --message "$NPMV_MESSAGE"$'\n\n'"$COMMIT_SIG" --preid "$NPMV_PREID")"
           echo "::debug::new version = $VERSION"
           VERSION_PLAIN="${VERSION:1}" # remove 'v' prefix
           echo "::debug::plain version = $VERSION_PLAIN"
@@ -85,10 +83,10 @@ jobs:
       - name: git push back
         run: git push --follow-tags
 
-  publish-package:
+  publish-NPMJS-GH:
     needs:
       - "bump"
-    name: publish package
+    name: publish NPMJS & GH
     runs-on: ubuntu-latest
     timeout-minutes: 30
     permissions:
@@ -108,12 +106,10 @@ jobs:
         with:
           node-version: ${{ env.NODE_ACTIVE_LTS }}
           package-manager-cache: false
-      - name: update npm
-        run: npm install -g npm@latest
       - name: setup project
         run: |
           npm install --ignore-scripts --include=optional --loglevel=silly
-      - name: setup tools
+      - name: install tools
         run: |
           echo "::group::install docs-gen deps"
           npm run -- dev-setup:tools:docs-gen   --ignore-scripts --loglevel=silly
@@ -125,20 +121,16 @@ jobs:
           npm run -- dev-setup:tools:test-dependencies --ignore-scripts --loglevel=silly
           echo "::endgroup::"
       # no explicit npm build. if a build is required, it should be configured as prepublish/prepublishOnly script of npm.
-      - name: login to registries
-        run: |
-          npm config set "//registry.npmjs.org/:_authToken=$NPM_TOKEN"
-          npm config set "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN"
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: publish to NPMJS as "${{ env.PACKAGE_RELEASE_TAG }}"
         run: >
           npm publish
-          --@cyclonedx:registry='https://registry.npmjs.org'
           --provenance
-          --access public 
+          --access public
           --tag "$PACKAGE_RELEASE_TAG"
+      - name: login to GH package registries
+        run: npm config set "//npm.pkg.github.com/:_authToken=$GITHUB_TOKEN"
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: publish to GitHub as "${{ env.PACKAGE_RELEASE_TAG }}"
         run: >
           npm publish
@@ -161,7 +153,7 @@ jobs:
   release-GH:
     needs:
       - "bump"
-      - "publish-package"
+      - "publish-NPMJS-GH"
     name: publish GitHub
     runs-on: ubuntu-latest
     timeout-minutes: 30

package.json

@@ -1,6 +1,6 @@
 {
   "name": "@cyclonedx/cyclonedx-library",
-  "version": "10.0.1-alpha.1",
+  "version": "10.0.1-alpha.2",
   "description": "Core functionality of CycloneDX for JavaScript (Node.js or WebBrowser).",
   "license": "Apache-2.0",
   "keywords": [