chore: enable trusted publishing release (#3026)

iliapolo · Vieltojarvi · web-flow · commit 060bcbfc69a8 · 2025-10-23T19:00:32.000Z
Change npm publishing step to use trusted publishers - requires also
bumping to node 24.

---------

Co-authored-by: Vieltojarvi &lt;lvielto@amazon.com&gt;
diff --git a/.github/workflows/health_checks.yml b/.github/workflows/health_checks.yml
@@ -912,14 +912,17 @@ jobs:
       - e2e_hosting
       - resolve_inputs
     runs-on: ubuntu-latest
+    environment: release
+    permissions:
+      id-token: write
     steps:
       - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # version 4.1.4
       - uses: ./.github/actions/setup_node
         with:
-          node-version: 18
+          node-version: 24
       - uses: ./.github/actions/restore_build_cache
         with:
-          node-version: 18
+          node-version: 24
           cdk-lib-version: ${{ needs.resolve_inputs.outputs.cdk_lib_version }}
       - id: is_version_packages_commit
         run: echo "is_version_packages_commit=$(npx tsx scripts/is_version_packages_commit.ts)" >> "$GITHUB_OUTPUT"
@@ -932,7 +935,7 @@ jobs:
           publish: npm run publish
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_TRUSTED_PUBLISHER: 'true'
       - name: Update hotfix branch
         if: ${{ steps.changeset_publish.outputs.published == 'true' && github.ref_name == 'main' }}
         run: git push origin main:hotfix --force
