Configure package and release workflow for trusted publishing

Author: benchristel

.github/workflows/release.yml

@@ -36,6 +36,9 @@ jobs:
       matrix:
         os: [ ubuntu-latest ]
         node-version: [ 20.x ]
+    permissions:
+      id-token: write # For trusted publishing to npm (includes provenance)
+      contents: write # For GitHub pages and creating release PRs
     steps:
       - uses: actions/checkout@v4
         with:
@@ -50,6 +53,14 @@ jobs:
         run: |
           pnpm install --frozen-lockfile
 
+      # NPM trusted publishing requires npm CLI v11.5.1+. Node.js 22 ships with
+      # npm 10.x, so we need to upgrade. Note that pnpm uses npm under the hood
+      # for publishes.
+      - name: Upgrade npm for OIDC support
+        run: |
+          npm install -g npm@latest
+          echo "✅ npm upgraded to $(npm --version)"
+
       - name: Create Release Pull Request or Publish to npm
         id: changesets
         uses: changesets/action@v1
@@ -61,4 +72,9 @@ jobs:
           # the account of someone with appropriate access levels and given the
           # repo scope.
           GITHUB_TOKEN: ${{ secrets.KHAN_ACTIONS_BOT_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          # NPM_CONFIG_PROVENANCE is for trusted publishing. We set this so
+          # that (p)npm publish will include the provenance information in the
+          # package.json file and surface it in the npm registry. See:
+          # - https://docs.npmjs.com/generating-provenance-statements
+          # - https://khanacademy.atlassian.net/wiki/spaces/FRONTEND/blog/4432363720/npm+Trusted+Publishing
+          NPM_CONFIG_PROVENANCE: true

package.json

@@ -10,7 +10,8 @@
     "url": "https://github.com/Khan/format-claude-stream/issues"
   },
   "publishConfig": {
-    "access": "public"
+    "access": "public",
+    "provenance": true
   },
   "bin": "cli/main.ts",
   "main": "dist/index.js",