Use NPM trusted publishing (#725)

NPM classic tokens are no more, trusted publishing is the future.

Prevent failures like
https://github.com/amacneil/dbmate/actions/runs/20837451898/job/59865223681

<!-- CURSOR_SUMMARY -->
> [!NOTE]
> Adopts NPM OIDC trusted publishing and tidies GitHub workflows and
package metadata.
> 
> - CI `npm` job: grants `id-token` permissions, enables `corepack`,
removes registry/token usage; `typescript/publish.ts` unsets
`NODE_AUTH_TOKEN` and publishes via `corepack npm publish --provenance`
> - Moves Dependabot auto-approve into new `dependabot.yml`; minor
naming tweaks in post-release workflow
> - Adds empty `.prettierrc.json`; sets `packageManager` in
`typescript/package.json`
> - Updates package metadata for `dbmate` and template packages
(repository format, bin mapping, homepage/author)
> - Bumps `pkg/dbmate/version.go` to `2.29.1`
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
00b792f. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: amacneil

.github/workflows/ci.yml

@@ -181,14 +181,18 @@ jobs:
     name: NPM
     runs-on: ubuntu-latest
     needs: build
+    permissions:
+      contents: read
+      id-token: write
 
     steps:
       - uses: actions/checkout@v6
 
+      - run: corepack enable
+
       - uses: actions/setup-node@v6
         with:
           node-version: 20
-          registry-url: https://registry.npmjs.org
           cache: npm
           cache-dependency-path: typescript/package-lock.json
 
@@ -210,23 +214,3 @@ jobs:
       - run: npm run publish
         if: ${{ startsWith(github.ref, 'refs/tags/v') }}
         working-directory: typescript
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}
-
-  dependabot:
-    name: Dependabot
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-    if: github.event.pull_request.user.login == 'dependabot[bot]'
-    steps:
-      - name: Automatically approve dependabot PRs
-        uses: octokit/request-action@v2.x
-        with:
-          route: POST /repos/{owner}/{repo}/pulls/{pull_number}/reviews
-          owner: ${{ github.event.repository.owner.login }}
-          repo: ${{ github.event.repository.name }}
-          pull_number: ${{ github.event.pull_request.number }}
-          event: APPROVE
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/dependabot.yml

@@ -0,0 +1,22 @@
+name: Dependabot
+
+on:
+  pull_request:
+
+jobs:
+  approve:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Approve Dependabot PR
+        uses: octokit/request-action@v2.x
+        with:
+          route: POST /repos/{owner}/{repo}/pulls/{pull_number}/reviews
+          owner: ${{ github.event.repository.owner.login }}
+          repo: ${{ github.event.repository.name }}
+          pull_number: ${{ github.event.pull_request.number }}
+          event: APPROVE
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/release.yml .github/workflows/post-release.yml.github/workflows/release.yml renamed to .github/workflows/post-release.yml

@@ -1,12 +1,12 @@
-name: Release
+name: Post Release
 
 on:
   push:
     tags: ["v*"]
 
 jobs:
   homebrew:
-    name: Bump Homebrew formula
+    name: Bump Homebrew Formula
     runs-on: ubuntu-latest
     steps:
       - uses: mislav/bump-homebrew-formula-action@v3

.prettierrc.json

@@ -0,0 +1 @@
+{}

pkg/dbmate/version.go

@@ -1,4 +1,4 @@
 package dbmate
 
 // Version of dbmate
-const Version = "2.29.0"
+const Version = "2.29.1"

typescript/package.json

@@ -1,5 +1,6 @@
 {
   "private": true,
+  "packageManager": "npm@11.7.0",
   "scripts": {
     "clean": "rimraf dist packages/dbmate/dist",
     "lint": "eslint --report-unused-disable-directives --fix .",

typescript/packages/dbmate/package.json

@@ -2,7 +2,10 @@
   "name": "dbmate",
   "version": "",
   "description": "A lightweight, framework-agnostic database migration tool",
-  "repository": "https://github.com/amacneil/dbmate",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/amacneil/dbmate.git"
+  },
   "homepage": "https://github.com/amacneil/dbmate#readme",
   "author": "Adrian Macneil",
   "license": "MIT",
@@ -15,7 +18,9 @@
     "schema",
     "sqlite"
   ],
-  "bin": "./dist/cli.js",
+  "bin": {
+    "dbmate": "dist/cli.js"
+  },
   "main": "./dist/index.js",
   "files": [
     "dist"

typescript/packages/template/package.json

@@ -2,7 +2,12 @@
   "name": "{{name}}",
   "version": "{{version}}",
   "description": "The {{jsOS}} {{jsArch}} binary for dbmate",
-  "repository": "https://github.com/amacneil/dbmate",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/amacneil/dbmate.git"
+  },
+  "homepage": "https://github.com/amacneil/dbmate#readme",
+  "author": "Adrian Macneil",
   "license": "MIT",
   "preferUnplugged": true,
   "os": [

typescript/publish.ts

@@ -8,7 +8,17 @@ async function main() {
   );
 
   for (const pkg of packages) {
-    await exec("npm", ["publish", "--access", "public", pkg]);
+    // Unset NODE_AUTH_TOKEN to avoid conflicts with OIDC trusted publishing
+    delete process.env.NODE_AUTH_TOKEN;
+    await exec("corepack", ["npm", "--version"]);
+    await exec("corepack", [
+      "npm",
+      "publish",
+      "--provenance",
+      "--access",
+      "public",
+      pkg,
+    ]);
   }
 }