ci: migrate to npm trusted publisher (#474)

* ci: switch to npm trusted publisher

* ci: add OIDC token write permission

* ci: fix permissions

* fix: format

* fix: update callers permissions

* fix: permissions

* ci: merge publish workflows to enable single trusted publisher

* fix: format

* ci: trigger workflow

* ci: use latest publish-npm version

* ci: add trusted publisher warning comment in workflow

* style: update comment

Co-authored-by: abbesBenayache <[email protected]>

---------

Co-authored-by: abbesBenayache <[email protected]>

Author: PierreJeanjacquot

.github/workflows/npm-latest.yml

@@ -0,0 +1,36 @@
+# ⚠️ THIS WORKFLOW IS THE TRUSTED PUBLISHER CONFIGURED ON NPMJS.COM, DO NOT RENAME OR DELETE THIS FILE ⚠️
+name: npm publish
+
+on:
+  # For staging releases
+  workflow_dispatch:
+  # For latest releases
+  release:
+    types: [published]
+
+permissions:
+  id-token: write # Required for OIDC
+  packages: write
+  contents: read
+
+jobs:
+  compute-staging-version:
+    # Only run for manual dispatch (staging)
+    if: github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-compute-staging-version.yml
+
+  npm-publish-staging:
+    # Only run for manual dispatch (staging)
+    if: github.event_name == 'workflow_dispatch'
+    uses: ./.github/workflows/reusable-npm.yml
+    needs: [compute-staging-version]
+    with:
+      version: ${{ needs.compute-staging-version.outputs.version }}
+      tag: ${{ needs.compute-staging-version.outputs.dist-tag }}
+
+  npm-publish-latest:
+    # Only run for release published (latest)
+    if: github.event_name == 'release'
+    uses: ./.github/workflows/reusable-npm.yml
+    with:
+      tag: latest

.github/workflows/npm-publish.yml

@@ -16,14 +16,10 @@ on:
         description: 'npm publish tag (e.g., latest, nightly)'
         default: ''
         type: string
-    secrets:
-      npm-token:
-        description: 'NPM auth token (required unless `dry-run: true`)'
-        required: false
 
 jobs:
   npm-publish:
-    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/publish-npm.yml@publish-npm-v1.5.0
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/publish-npm.yml@publish-npm-v1.6.0
     with:
       install-command: npm ci
       build-command: npm run build
@@ -32,5 +28,3 @@ jobs:
       version: ${{ inputs.version }}
       environment: ${{ (inputs.dry-run && '') || inputs.tag }}
       provenance: ${{ !inputs.dry-run }}
-    secrets:
-      npm-token: ${{ secrets.npm-token }}