Remove NODE_AUTH_TOKEN from npm publish step

[AndrewGable]

Details

Removed NODE_AUTH_TOKEN from npm publish step since we will now use ODIC method to publish npm libraries.

Related Issues

Related https://github.com/Expensify/Expensify/issues/558148

[roryabraham]

I think this workflow is used in a few places. It seems likely that just removing the NODE_AUTH_TOKEN will break all the places where this is used, right?

[roryabraham]

hmmm ok no I see... catching up on the required reading in https://docs.npmjs.com/trusted-publishers. Trying to get into npm settings so I can buddy-check them

[roryabraham]

hrmm ok I see:

1. Trusted publishers are configured on a per-package basis in npm. So this will indeed likely break other repos that rely on this publishing workflow in order to work. That might just be what we need to do to roll this out, but we should be prepared to announce that disruption while we iterate on getting this right.

2. It's not perfectly clear how GitHub and npm will React to using a callable workflow from another repo to publish, but my hunch is that publish.yml in react-native-qrcode-svg will still need these permissions either at the workflow level (or equivalently in that case at the job level) when the callable workflow from this repo is called. I see you removed them in Clean up permissions in publish.yml react-native-qrcode-svg#247, which I don't think is correct:

   permissions:
     id-token: write  # Required for OIDC: https://docs.npmjs.com/trusted-publishers
     contents: read
   

From: https://docs.github.com/en/actions/reference/workflows-and-actions/reusing-workflow-configurations#supported-keywords-for-jobs-that-call-a-reusable-workflow

• If jobs.<job_id>.permissions is not specified in the calling job, the called workflow will have the default permissions for the GITHUB_TOKEN
• The GITHUB_TOKEN permissions passed from the caller workflow can be only downgraded (not elevated) by the called workflow

Given that, setting these permissions in this callable is probably redundant.

[roryabraham]

@AndrewGable and I chatted, here's our gameplan:

1. @AndrewGable will set up OIDC on all the npmjs packages on npmjs.org
2. We will merge https://github.com/Expensify/GitHub-Actions/pull/43/files and Expensify/react-native-qrcode-svg#247, just to confirm that we do in fact need permissions in all repos
3. If we do confirm this, then @AndrewGable will add permissions to all the repos and remove the permissions from GitHub-Actions