upgrade publish mechanism (#1792)

Use OIDC instead of token to publish to NPM, and use github permissions
to reenable publishing to github

Will be able to remove npm token from the secrets

also, git push before publishing anything

already tested for `@huggingface/hub`

Author: coyotte508

.github/workflows/agents-publish.yml

@@ -19,27 +19,30 @@ defaults:
   run:
     working-directory: packages/agents
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/agents/pnpm-lock.yaml
             packages/doc-internal/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -52,19 +55,19 @@ jobs:
           git add ../..
           git commit -m "🔖 @huggingface/agents $BUMPED_VERSION"
           git tag "agents-v$BUMPED_VERSION"
-      - run: pnpm --filter agents... build && pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm --filter agents... build && pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Update Doc"
         uses: peter-evans/repository-dispatch@v2
         with:

.github/workflows/blake3-wasm-publish.yml

@@ -19,26 +19,29 @@ defaults:
   run:
     working-directory: packages/blake3-wasm
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/blake3-wasm/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -49,16 +52,16 @@ jobs:
           node -e "const fs = require('fs'); const package = JSON.parse(fs.readFileSync('./package.json')); package.version = '$BUMPED_VERSION'; fs.writeFileSync('./package.json', JSON.stringify(package, null, '\t') + '\n');"
           git commit . -m "🔖 @huggingface/blake3-wasm $BUMPED_VERSION"
           git tag "blake3-wasm-v$BUMPED_VERSION"
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/blob-publish.yml

@@ -19,26 +19,29 @@ defaults:
   run:
     working-directory: packages/blob
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/blob/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -50,19 +53,18 @@ jobs:
           git commit . -m "🔖 @huggingface/blob $BUMPED_VERSION"
           git tag "blob-v$BUMPED_VERSION"
 
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Update Doc"
         uses: peter-evans/repository-dispatch@v2
         with:

.github/workflows/dduf-publish.yml

@@ -19,26 +19,29 @@ defaults:
   run:
     working-directory: packages/dduf
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/dduf/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -53,19 +56,18 @@ jobs:
       - name: "Check Deps are published before publishing this package"
         run: pnpm -w check-deps blob
 
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: "Update Doc"
         uses: peter-evans/repository-dispatch@v2
         with:

.github/workflows/gearhash-wasm-publish.yml

@@ -19,26 +19,29 @@ defaults:
   run:
     working-directory: packages/gearhash-wasm
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/gearhash-wasm/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -49,16 +52,16 @@ jobs:
           node -e "const fs = require('fs'); const package = JSON.parse(fs.readFileSync('./package.json')); package.version = '$BUMPED_VERSION'; fs.writeFileSync('./package.json', JSON.stringify(package, null, '\t') + '\n');"
           git commit . -m "🔖 @huggingface/gearhash-wasm $BUMPED_VERSION"
           git tag "gearhash-wasm-v$BUMPED_VERSION"
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/gguf-publish.yml

@@ -23,26 +23,29 @@ defaults:
   run:
     working-directory: packages/gguf
 
+permissions:
+  contents: write
+  id-token: write
+  packages: write
+
 jobs:
   version_and_release:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v5
         with:
           # Needed to push the tag and the commit on the main branch, otherwise we get:
           # > Run git push --follow-tags
           # remote: error: GH006: Protected branch update failed for refs/heads/main.
           # remote: error: Changes must be made through a pull request. Required status check "lint" is expected.
           token: ${{ secrets.BOT_ACCESS_TOKEN }}
       - run: npm install -g corepack@latest && corepack enable
-      - uses: actions/setup-node@v3
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           cache: "pnpm"
           cache-dependency-path: |
             packages/gguf/pnpm-lock.yaml
-          # setting a registry enables the NODE_AUTH_TOKEN env variable where we can set an npm token.  REQUIRED
-          registry-url: "https://registry.npmjs.org"
       - run: pnpm install
       - run: git config --global user.name machineuser
       - run: git config --global user.email infra+machineuser@huggingface.co
@@ -58,16 +61,15 @@ jobs:
         name: "Check Deps are published before publishing this package"
         run: pnpm -w check-deps tasks
 
-      - run: pnpm publish --no-git-checks .
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
       - run: (git pull --rebase && git push --follow-tags) || (git pull --rebase && git push --follow-tags)
-      # hack - reuse actions/setup-node@v3 just to set a new registry
-      - uses: actions/setup-node@v3
+
+      - run: pnpm publish --no-git-checks .
+      # hack - reuse actions/setup-node@v4 just to set a new registry
+      - uses: actions/setup-node@v4
         with:
-          node-version: "20"
+          node-version: "24"
           registry-url: "https://npm.pkg.github.com"
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
-      # - run: pnpm publish --no-git-checks .
-      #   env:
-      #     NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+      - run: pnpm publish --no-git-checks .
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/hub-publish.yml

@@ -74,7 +74,6 @@ jobs:
           node-version: "24"
           registry-url: "https://npm.pkg.github.com"
 
-      # Disable for now, until github supports PATs for writing github packages (https://github.com/github/roadmap/issues/558)
       - run: pnpm publish --no-git-checks .
         env:
           NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}