refactor: introduce trusted publishing (#1269)

* refactor: Remove NPM token setting from publish script

Removed the line setting the NPM authentication token.

* Update 03-publish-packages.yml

* Update Node.js version in .nvmrc to 24

* Update release.yml

* refactor: running prettier

* Remove provenance flag from npm publish command

Removed the '--provenance' flag from the npm publish command.

Author: mfranzke

.github/scripts/publish-npm.sh

@@ -35,12 +35,11 @@ do
     echo "🔑 Authenticated with GITHUB"
   elif [[ $REGISTRY == 'NPM' ]]; then
     npm config set @db-ui:registry https://registry.npmjs.org/
-    npm set //registry.npmjs.org/:_authToken "$NPM_TOKEN"
     echo "🔑 Authenticated with NPM"
   else
     echo "Could not authenticate with $REGISTRY"
     exit 1
   fi
   # https://docs.npmjs.com/generating-provenance-statements#example-github-actions-workflow
-  npm publish --tag "$TAG" db-ui-core-"$VALID_SEMVER_VERSION".tgz --provenance
+  npm publish --tag "$TAG" db-ui-core-"$VALID_SEMVER_VERSION".tgz
 done

.github/workflows/03-publish-packages.yml

@@ -50,7 +50,6 @@ jobs:
           PRE_RELEASE: ${{ inputs.preRelease }}
           VALID_SEMVER_VERSION: ${{ inputs.version }}
           GITHUB_COMMITISH: ${{ github.event.release.target_commitish }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           GPR_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
       - name: ⬆ Upload Package Artifact db-ui-core

.github/workflows/release.yml

@@ -35,6 +35,8 @@ jobs:
     uses: ./.github/workflows/03-publish-packages.yml
     needs: [lint, test, build, get-publish-version]
     secrets: inherit
+    permissions:
+      id-token: write # Required for OIDC
     with:
       release: ${{ needs.get-publish-version.outputs.release }}
       preRelease: ${{ needs.get-publish-version.outputs.preRelease }}

.nvmrc

@@ -1 +1 @@
-22
+24