Support Trusted Publishing (#1629)

Author: gossi

.github/actions/setup/action.yml

@@ -1,10 +1,11 @@
-name: 'Setup'
+name: Setup
+description: Install toolchain for this repo CI tasks
 inputs:
   node-version:
-    description: 'Specific node version'
+    description: "Specific node version"
     required: false
 runs:
-  using: 'composite'
+  using: composite
   steps:
     - name: Install pnpm
       uses: pnpm/action-setup@v4
@@ -13,11 +14,11 @@ runs:
       uses: actions/setup-node@v5
       with:
         node-version: ${{ inputs.node-version }}
-        node-version-file: '.node-version'
-        cache: 'pnpm'
+        node-version-file: ".node-version"
+        cache: "pnpm"
         # This creates an .npmrc that reads the NODE_AUTH_TOKEN environment variable
         # necessary for publish
-        registry-url: 'https://registry.npmjs.org'
+        registry-url: "https://registry.npmjs.org"
 
     - name: Install dependencies
       run: pnpm install

.github/workflows/publish.yml

@@ -10,15 +10,15 @@ on:
     branches:
       - main
     paths:
-      - '.release-plan.json'
+      - ".release-plan.json"
 
 concurrency:
   group: publish-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
 
 jobs:
   publish:
-    name: 'NPM Publish'
+    name: "NPM Publish"
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -30,8 +30,10 @@ jobs:
       - uses: actions/checkout@v5
       - name: Setup
         uses: ./.github/actions/setup
+        # we are doing this to make sure theat the gloabally installed npm is new enough to support OIDC
+      - name: Install latest npm (for Trusted Publishing)
+        run: npm install -g npm@latest
       - name: Publish to NPM
         run: NPM_CONFIG_PROVENANCE=true pnpm release-plan publish
         env:
           GITHUB_AUTH: ${{ secrets.GITHUB_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}