From 847ab82c934aaa5f68181aaf9e711fac5cc4a570 Mon Sep 17 00:00:00 2001
From: Pierre Jeanjacquot <26487010+PierreJeanjacquot@users.noreply.github.com>
Date: Thu, 16 Oct 2025 15:59:04 +0200
Subject: [PATCH] ci: migrate to npm trusted publisher

---
 .github/workflows/reusable-sdk-npm.yml |  8 +----
 .github/workflows/sdk-npm-publish.yml  | 48 -------------------------
 .github/workflows/sdk-publish-npm.yml  | 49 ++++++++++++++++++++++++++
 .github/workflows/sdk-release.yml      | 14 --------
 4 files changed, 50 insertions(+), 69 deletions(-)
 delete mode 100644 .github/workflows/sdk-npm-publish.yml
 create mode 100644 .github/workflows/sdk-publish-npm.yml
 delete mode 100644 .github/workflows/sdk-release.yml

diff --git a/.github/workflows/reusable-sdk-npm.yml b/.github/workflows/reusable-sdk-npm.yml
index 5471d23..7f80bf9 100644
--- a/.github/workflows/reusable-sdk-npm.yml
+++ b/.github/workflows/reusable-sdk-npm.yml
@@ -16,14 +16,10 @@ on:
         description: 'npm publish tag (e.g., latest, nightly)'
         default: ''
         type: string
-    secrets:
-      npm-token:
-        description: 'NPM auth token (required unless `dry-run: true`)'
-        required: false
 
 jobs:
   publish-npm:
-    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/publish-npm.yml@publish-npm-v1.5.0
+    uses: iExecBlockchainComputing/github-actions-workflows/.github/workflows/publish-npm.yml@publish-npm-v1.6.0
     with:
       scope: '@iexec/web3telegram'
       tag: ${{ inputs.tag }}
@@ -31,5 +27,3 @@ jobs:
       environment: ${{ (inputs.dry-run && '') || inputs.tag }}
       provenance: ${{ !inputs.dry-run }}
       dry-run: ${{ inputs.dry-run }}
-    secrets:
-      npm-token: ${{ secrets.npm-token }}
diff --git a/.github/workflows/sdk-npm-publish.yml b/.github/workflows/sdk-npm-publish.yml
deleted file mode 100644
index 265371e..0000000
--- a/.github/workflows/sdk-npm-publish.yml
+++ /dev/null
@@ -1,48 +0,0 @@
-name: Publish Package NPM - web3telegram
-
-on:
-  workflow_dispatch:
-    inputs:
-      tag:
-        description: 'NPM tag to publish (latest or nightly)'
-        required: true
-        type: choice
-        options:
-          - latest
-          - nightly
-        default: nightly
-
-jobs:
-  set-publish-version:
-    # Run only on main branch
-    if: github.ref == 'refs/heads/main'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
-      - name: Set up Node.js
-        uses: actions/setup-node@v4
-      - name: Set publish version
-        id: set-publish-version
-        if: github.event.inputs.tag == 'nightly'
-        run: |
-          if [ "${{ github.event.inputs.tag }}" == "nightly" ]; then
-            CURRENT_VERSION=$(npm pkg get version | tr -d '"')
-            NIGHTLY_VERSION="${CURRENT_VERSION}-nightly-${GITHUB_SHA::7}"
-            echo "VERSION=${NIGHTLY_VERSION}" >> $GITHUB_OUTPUT
-          else
-            echo "VERSION=$(npm pkg get version | tr -d '"')" >> $GITHUB_OUTPUT
-          fi
-    outputs:
-      VERSION: ${{ steps.set-publish-version.outputs.VERSION }}
-
-  publish-npm:
-    # Run only on main branch
-    if: github.ref == 'refs/heads/main'
-    uses: ./.github/workflows/reusable-sdk-npm.yml
-    needs: set-publish-version
-    with:
-      tag: ${{ github.event.inputs.tag }}
-      version: ${{ needs.set-publish-version.outputs.VERSION }}
-    secrets:
-      npm-token: ${{ secrets.NPM_TOKEN }}
diff --git a/.github/workflows/sdk-publish-npm.yml b/.github/workflows/sdk-publish-npm.yml
new file mode 100644
index 0000000..587f3da
--- /dev/null
+++ b/.github/workflows/sdk-publish-npm.yml
@@ -0,0 +1,49 @@
+# ⚠️ THIS WORKFLOW IS THE TRUSTED PUBLISHER CONFIGURED ON NPMJS.COM, DO NOT RENAME OR DELETE THIS FILE ⚠️
+name: Publish NPM Package
+
+on:
+  # For staging releases
+  workflow_dispatch:
+  # For latest releases
+  release:
+    types: [published]
+
+permissions:
+  id-token: write # Required for OIDC
+  packages: write
+  contents: read
+
+jobs:
+  set-staging-version:
+    # Only run for manual dispatch on main branch
+    if: ${{ github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+      - name: Set up Node.js
+        uses: actions/setup-node@v4
+      - name: Set publish version
+        id: set-staging-version
+        run: |
+          CURRENT_VERSION=$(npm pkg get version | tr -d '"')
+          NIGHTLY_VERSION="${CURRENT_VERSION}-nightly-${GITHUB_SHA::7}"
+          echo "VERSION=${NIGHTLY_VERSION}" >> $GITHUB_OUTPUT
+    outputs:
+      VERSION: ${{ steps.set-staging-version.outputs.VERSION }}
+
+  publish-npm-staging:
+    # Only run for manual dispatch on main branch
+    if: ${{ github.event_name == 'workflow_dispatch' && github.ref == 'refs/heads/main' }}
+    uses: ./.github/workflows/reusable-sdk-npm.yml
+    needs: set-staging-version
+    with:
+      tag: ${{ github.event.inputs.tag }}
+      version: ${{ needs.set-staging-version.outputs.VERSION }}
+
+  publish-npm-latest:
+    # # Only run for release published with tag "web3telegram-v*"
+    if: ${{ github.event_name == 'release' && startsWith(github.ref_name,'web3telegram-v') }}
+    uses: ./.github/workflows/reusable-sdk-npm.yml
+    with:
+      tag: 'latest'
diff --git a/.github/workflows/sdk-release.yml b/.github/workflows/sdk-release.yml
deleted file mode 100644
index 452f6d1..0000000
--- a/.github/workflows/sdk-release.yml
+++ /dev/null
@@ -1,14 +0,0 @@
-name: publish-npm-sdk-latest
-
-on:
-  push:
-    tags:
-      - 'web3telegram-v*'
-
-jobs:
-  publish-npm:
-    uses: ./.github/workflows/reusable-sdk-npm.yml
-    with:
-      tag: 'latest'
-    secrets:
-      npm-token: ${{ secrets.NPM_TOKEN }}