update deploy to handle deploy-rc with OIDC.

Author: fatbattk

.github/workflows/actions/prepare/action.yml

@@ -7,7 +7,6 @@ runs:
       with:
         cache: yarn
         node-version-file: '.nvmrc'
-        registry-url: 'https://registry.npmjs.org'
 
     - name: Yarn install
       run: yarn install --frozen-lockfile

.github/workflows/deploy-rc.yml

@@ -3,6 +3,7 @@ name: Deploy
 on:
   push:
     branches:
+      # Stable version branches
       - 2023-04
       - 2023-07
       - 2023-10
@@ -11,40 +12,50 @@ on:
       - 2024-07
       - 2024-10
       - 20[0-9][0-9]-[01][1470]
+      # RC version branches
+      - 20[0-9][0-9]-[01][1470]-rc
 
 concurrency: ${{ github.workflow }}-${{ github.ref }}
 
 jobs:
   changesets:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # Required for OIDC
     steps:
       - uses: actions/checkout@v3
         with:
           token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
 
       - uses: ./.github/workflows/actions/prepare
 
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20' # Must be 20+ to support npm 11.5.1+
+          registry-url: 'https://registry.npmjs.org' # Required for OIDC
+          cache: yarn
+
+      - name: Update npm to latest
+        run: npm install -g npm@latest
+
       - id: changesets
         name: Create release Pull Request or publish to NPM
-        uses: changesets/action@06245a4e0a36c064a573d4150030f5ec548e4fcc # v1.4.10
+        uses: changesets/action@v1 # Must use latest version for OIDC
         with:
           title: Version Packages (${{ github.ref_name }})
-          publish: yarn run deploy --tag ${{ github.ref_name }}
+          publish: yarn run deploy --tag ${{ endsWith(github.ref_name, '-rc') && 'rc' || github.ref_name }} # RC publishes as `rc` tag, stable publishes as the version number
           createGithubReleases: false
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: '' # Forces OIDC authentication
           GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
 
       - name: Set 'latest' NPM dist tag
         if: steps.changesets.outputs.published == 'true' && github.ref_name == vars.LATEST_STABLE_VERSION
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
         run: |
-          cat << EOF > "$HOME/.npmrc"
-            //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          EOF
           for pkg in $(echo "$PUBLISHED_PACKAGES" | jq -r '.[] | @base64'); do
             _jq() {
               echo ${pkg} | base64 --decode | jq -r ${1}