refactor: introduce trusted publishing (#789)

* refactor: introduced trusted publishing

* Update publish-npm.sh

* Update 03-publish-packages.yml

* Update 03-publish-packages.yml

* Update 03-publish-packages.yml

* Update 03-publish-packages.yml

* Add permissions for contents in release workflow

* Update permissions in release workflow

Change permissions to allow write access for id-token.

* Update 03-publish-packages.yml

* Update .nvmrc

* Update release.yml

* Remove provenance flag from npm publish command

Author: mfranzke

.github/scripts/publish-npm.sh

@@ -39,12 +39,11 @@ do
     echo "🔑 Authenticated with GITHUB"
   elif [[ $REGISTRY == 'NPM' ]]; then
     npm config set @db-ui:registry https://registry.npmjs.org/
-    npm set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
     echo "🔑 Authenticated with NPM"
   else
     echo "Could not authenticate with $REGISTRY"
     exit 1
   fi
   # https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow
-  npm publish --tag "$TAG" db-ui-base-"$VALID_SEMVER_VERSION".tgz --provenance
+  npm publish --tag "$TAG" db-ui-base-"$VALID_SEMVER_VERSION".tgz
 done

.github/workflows/03-publish-packages.yml

@@ -48,7 +48,6 @@ jobs:
           PRE_RELEASE: ${{ inputs.preRelease }}
           VALID_SEMVER_VERSION: ${{ inputs.version }}
           GITHUB_COMMITISH: ${{ github.event.release.target_commitish }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           GPR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: ⬆ Upload Package Artifact db-ui-base

.github/workflows/release.yml

@@ -40,6 +40,8 @@ jobs:
     uses: ./.github/workflows/03-publish-packages.yml
     needs: [lint, build, get-publish-version]
     secrets: inherit
+    permissions:
+      id-token: write  # Required for OIDC
     with:
       release: ${{ needs.get-publish-version.outputs.release }}
       preRelease: ${{ needs.get-publish-version.outputs.preRelease }}

.nvmrc

@@ -1 +1 @@
-22
+24