update npm deploy workflow to OIDC. (#3691)

Author: fatbattk

.github/workflows/actions/prepare/action.yml

@@ -2,11 +2,12 @@ name: Prepare repo
 runs:
   using: 'composite'
   steps:
-    - uses: actions/setup-node@v3
+    - uses: actions/setup-node@v4
       name: Setup node.js and yarn
       with:
+        registry-url: 'https://registry.npmjs.org' # Required for OIDC
         cache: yarn
-        node-version-file: '.nvmrc'
+        node-version-file: '.nvmrc' # Must be 20+ to support npm 11.5.1+
 
     - name: Yarn install
       run: yarn install --frozen-lockfile

.github/workflows/deploy.yml

@@ -18,32 +18,36 @@ jobs:
   changesets:
     name: Deploy
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # Required for OIDC
     steps:
       - uses: actions/checkout@v4
         with:
           token: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
 
       - uses: ./.github/workflows/actions/prepare
 
+      - name: Update npm to latest
+        run: npm install -g npm@latest
+
       - id: changesets
         name: Create release Pull Request or publish to NPM
-        uses: changesets/action@v1
+        uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
         with:
           title: Version Packages (${{ github.ref_name }})
           publish: yarn run deploy --tag ${{ github.ref_name }}
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TOKEN: '' # Forces OIDC authentication
           GITHUB_TOKEN: ${{ secrets.SHOPIFY_GH_ACCESS_TOKEN }}
 
+      # Known to fail in OIDC (https://github.com/npm/cli/issues/8547).
+      # Workaround is to manually ask #help-eng-infrastructure to update `latest` tag.
       - name: Set 'latest' NPM dist tag
         if: steps.changesets.outputs.published == 'true' && github.ref_name == vars.LATEST_STABLE_VERSION
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           PUBLISHED_PACKAGES: ${{ steps.changesets.outputs.publishedPackages }}
         run: |
-          cat << EOF > "$HOME/.npmrc"
-            //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          EOF
           for pkg in $(echo "$PUBLISHED_PACKAGES" | jq -r '.[] | @base64'); do
             _jq() {
               echo ${pkg} | base64 --decode | jq -r ${1}

.nvmrc

@@ -1 +1 @@
-v20.10.0
+v20.19.6

packages/ui-extensions/package.json

@@ -77,6 +77,11 @@
     "access": "public",
     "@shopify:registry": "https://registry.npmjs.org/"
   },
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/Shopify/ui-extensions.git",
+    "directory": "packages/ui-extensions"
+  },
   "files": [
     "build",
     "src",