Enforcing npm publishing access on nodejs packages

[legendecas]

With granular tokens and OIDC migration in #998, we could now consider enforcing the rule to require 2fa on publishing, and even disallow tokens (including granular tokens and classic tokens) on packages hosted on https://www.npmjs.com/~nodejs-foundation.

The current available options are (this is a per-package setting):

[ljharb]

Trusted Publishing currently has a number of security issues in its implementation, but once those are resolved, as long as all packages using it are also using Environments with 2+ required reviewers, then this is a great change to make.

[legendecas]

This setting is not necessarily associated with OIDC based publishing. This is an enforcement on requiring 2fa when publishing with either classic or granular tokens. This should be a security gain on the current setup.

[ljharb]

Right - but I'm saying that migrating from tokens to OIDC should not be an option at the moment, so we can't yet disallow 1FA tokens.

[mcollina]

In today TSC meeting we proposed to require publish with 2Fa for all publishing. We didn't have quorum, so, we'd live this open for another week.

@legendecas would post an issue in the packages to notify them of the change.

[legendecas]

Packages may be impacted by the change:

(these packages were published in the past year and were published by an individual account or token)

• https://github.com/nodejs/changelog-maker / https://www.npmjs.com/package/changelog-maker
• https://github.com/nodejs/citgm / https://www.npmjs.com/package/citgm
• https://github.com/nodejs/branch-diff / https://www.npmjs.com/package/branch-diff
• https://github.com/nodejs/core-validate-commit / https://www.npmjs.com/package/core-validate-commit
• https://github.com/nodejs/lts-schedule / https://www.npmjs.com/package/lts
• https://github.com/nodejs/cjs-module-lexer / https://www.npmjs.com/package/cjs-module-lexer