ci: implement trusted publishing (#1291)

* chore: update npm to latest version in main branch check workflow

* chore: update npm engine version to >=11.5.1 in package.json files

* chore: add permissions for OIDC and npm.js Trusted Publishing in production and pre release workflow

* chore: move npm update step to setup action for consistency

* chore: remove NODE_AUTH_TOKEN from NPM publish steps in workflows

* chore: update SonarCloud scan action to version 6

---------

Co-authored-by: Sakchai.Homhual <[email protected]>

Author: Sakchai-Refinitiv

.github/actions/setup/action.yml

@@ -10,6 +10,10 @@ runs:
         node-version: 20.x
         cache: 'npm'
 
+    - name: Update npm to 11 # Trusted Publishing requires npm >= 11.5.1
+      run: npm install -g npm@11
+      shell: bash
+
     - name: Setup caching dependencies
       uses: actions/cache@v4
       id: cache-node_modules

.github/workflows/dev_release.yml

@@ -6,6 +6,9 @@ on:
 jobs:
   publish:
     environment: development
+    permissions:
+      id-token: write # Required for OIDC and npm.js Trusted Publishing
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
@@ -21,5 +24,3 @@ jobs:
 
       - name: Publish to NPM
         run: npx lerna publish 0.0.0-dev.${{ github.run_id }}.${{ github.run_attempt }} --dist-tag dev --force-publish --exact --include-merged-tags --no-private --no-changelog --no-git-tag-version --no-push --yes
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/pre_release.yml

@@ -57,6 +57,9 @@ jobs:
     name: Publish
     needs: test
     environment: development
+    permissions:
+      id-token: write # Required for OIDC and npm.js Trusted Publishing
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
@@ -80,18 +83,14 @@ jobs:
         run: npx lerna publish ${{ inputs.version }} --preid next --dist-tag next --force-publish --include-merged-tags --no-private --no-changelog --yes
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish to NPM (modified packages)
         if: ${{ inputs.version != 'premajor' }}
         run: npx lerna publish ${{ inputs.version }} --preid next --dist-tag next --include-merged-tags --no-private --no-changelog --yes
         env:
           GH_TOKEN: ${{ secrets.GH_TOKEN }}
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Deprecate Solar Theme on npm
         run: |
           DEPRECATION_MESSAGE=$(npm info @refinitiv-ui/solar-theme deprecated)
           if [[ -z $DEPRECATION_MESSAGE ]]; then npm deprecate @refinitiv-ui/solar-theme "Solar theme is deprecated. Consider migrating to @refinitiv-ui/halo-theme instead."; fi
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}

.github/workflows/prod_release.yml

@@ -57,6 +57,9 @@ jobs:
     environment:
       name: production
       url: https://ui.refinitiv.com
+    permissions:
+      id-token: write # Required for OIDC and npm.js Trusted Publishing
+      contents: write
     runs-on: ubuntu-latest
     steps:
       - name: Check out repository code
@@ -93,15 +96,11 @@ jobs:
 
       - name: Publish to NPM
         run: npx lerna publish from-git --yes
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Deprecate Solar Theme on npm
         run: |
           DEPRECATION_MESSAGE=$(npm info @refinitiv-ui/solar-theme deprecated)
           if [[ -z $DEPRECATION_MESSAGE ]]; then npm deprecate @refinitiv-ui/solar-theme "Solar theme is deprecated. Consider migrating to @refinitiv-ui/halo-theme instead."; fi
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish Docs
         run: curl -X POST "https://api.cloudflare.com/client/v4/pages/webhooks/deploy_hooks/${{ secrets.CF_DEPLOY_HOOKS_ID_V7 }}"

.github/workflows/sonarcloud_scan.yml

@@ -34,7 +34,7 @@ jobs:
         uses: ./.github/actions/setup
 
       - name: SonarCloud Scan
-        uses: SonarSource/sonarqube-scan-action@v5
+        uses: SonarSource/sonarqube-scan-action@v6
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Needed to get PR information, if any
           SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}

documents/package.json

@@ -6,7 +6,7 @@
   "description": "Element Framework Documentation",
   "engines": {
     "node": ">=20.0.0",
-    "npm": ">=10.0.0"
+    "npm": ">=11.5.1"
   },
   "scripts": {
     "lint": "eslint .",