feat: migrate npm publish to OIDC authentication

.github/workflows/release.yml

@@ -7,6 +7,10 @@ on:
     branches:
       - main
 
+permissions:
+  id-token: write
+  contents: write
+
 jobs:
   publish:
     if:
@@ -22,7 +26,7 @@ jobs:
       - name: Set up Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: "20.x"
+          node-version: "22.x"
           registry-url: "https://registry.npmjs.org/"
 
       - uses: pnpm/action-setup@v4
@@ -37,15 +41,11 @@ jobs:
         if: ${{ github.event.pull_request.head.ref == 'prepare-release' }}
         run: |
           pnpm release
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Publish prerelease to npm
         if: ${{ github.event.pull_request.head.ref == 'prepare-prerelease' }}
         run: |
           pnpm release:prerelease
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Extract changelog for version
         id: get_changelog

package.json

@@ -16,8 +16,8 @@
     "format": "turbo format lint:fix",
     "clean": "git clean -fdX && pnpm store prune",
     "ci": "pnpm clean && pnpm i",
-    "release": "pnpm build && pnpm -r --filter=@cartridge/controller --filter=@cartridge/connector publish --tag latest --no-git-checks --access public",
-    "release:prerelease": "pnpm build && pnpm -r --filter=@cartridge/controller --filter=@cartridge/connector publish --tag prerelease --no-git-checks --access public",
+    "release": "pnpm build && pnpm -r --filter=@cartridge/controller --filter=@cartridge/connector publish --tag latest --no-git-checks --access public --provenance",
+    "release:prerelease": "pnpm build && pnpm -r --filter=@cartridge/controller --filter=@cartridge/connector publish --tag prerelease --no-git-checks --access public --provenance",
     "keychain": "pnpm --filter @cartridge/keychain",
     "controller": "pnpm --filter @cartridge/controller",
     "connector": "pnpm --filter @cartridge/connector",