Merge pull request #2624 from firebase/jh-trusted-publisher

Migrating to trusted publisher

Author: joehan

.github/workflows/npm_publish_bq_scripts.yml

@@ -7,14 +7,16 @@ on:
         description: "The package name to publish"
         required: true
         default: "@firebaseextensions/fs-bq-schema-views"
+permissions:
+  id-token: write
 jobs:
   publish_if_newer_version:
     runs-on: ubuntu-latest
     name: publish_if_newer_version
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
       - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20
       - name: NPM install
@@ -23,26 +25,20 @@ jobs:
         if:
           ${{ github.event.inputs.package_name ==
           '@firebaseextensions/fs-bq-schema-views'}}
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN_BQ_SCHEMA_VIEWS }}
         run: |
           cd firestore-bigquery-export/scripts/gen-schema-view
           ${{ github.workspace }}/.github/workflows/scripts/npm_publish.sh
       - name: Publish BigQuery Import Collection
         if:
           ${{ github.event.inputs.package_name ==
           '@firebaseextensions/fs-bq-import-collection'}}
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN_BQ_IMPORT_COLLECTION }}
         run: |
           cd firestore-bigquery-export/scripts/import
           ${{ github.workspace }}/.github/workflows/scripts/npm_publish.sh
       - name: Publish BigQuery Change Tracker
         if:
           ${{ github.event.inputs.package_name ==
           '@firebaseextensions/firestore-bigquery-change-tracker'}}
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN_BQ_CHANGE_TRACKER }}
         run: |
           cd firestore-bigquery-export/firestore-bigquery-change-tracker
           ${{ github.workspace }}/.github/workflows/scripts/npm_publish.sh

.github/workflows/scripts/npm_publish.sh

@@ -62,16 +62,5 @@ if npm_package_version_exists "$NPM_PACKAGE_NAME" "$NPM_PACKAGE_VERSION"; then
   exit 0
 fi
 
-# Ensure that the NPM_TOKEN env variable is defined before we can publish the package.
-if [[ -z "$NPM_TOKEN" ]]; then
-  echo "Missing required NPM_TOKEN env variable. Set this on the workflow action or on your local environment."
-  echo "Skipping publishing of this NPM package."
-  exit 1
-fi
-
-echo "NPM package $NPM_PACKAGE_NAME and version $NPM_PACKAGE_VERSION does NOT EXIST on the NPM registry."
-npm config set //wombat-dressing-room.appspot.com/:_authToken=${NPM_TOKEN}
-
 echo "Attempting to publish $NPM_PACKAGE_NAME version $NPM_PACKAGE_VERSION..."
-# This registry allows Googlers to publish with a temporary token from http://go/npm-publish
-npm publish --registry https://wombat-dressing-room.appspot.com
+npm publish