feat(ci/cd): switch to npm trusted publishing

[hainenber]

Fixes #325

This PR is to switch npm publish from token-based to trusted publishing, eliminates long-lived token for longevity. However, the project's maintainer needs to walk through this section to setup necessary config on npm side, as this PR is to implement 2nd part.

Once the PR is merged and packages version 8.x got released, it'll resolve a breed of issue on deprecated glob and inflight package.

[andyspiers]

Hey @SimenB - might you have a bit of time to look at this PR please and get this project set up for trusted publishing to npmjs via OIDC? This may solve #325, enabling some version >= 8.x to be published so upstream projects like jest to get the security updates they need. Thanks! 🙂

[SimenB]

I don't have publish access to this package, so I'm unable to update the settings on the npm side

[hainenber]

I'll be pinging istanbulljs org maintainers then.

Hi @bcoe, do you happen to have publish access to this package on npm and if so, can you help with setting up the trusted publishing?

Context is that we're looking fora sustainable way to publish new babel-plugin-istanbuljs version to npm that fixes plenty of security issues and/or outdated/deprecated dependencies. Disclaimer: this is not xz scenario as we do not request for publish access.

Regards!

[andrew-demb]

@xdissent @wyze @vinteo @sindresorhus @rjaltman @kpdecker @kentcdodds @jamestalmage @JaKXz @gyehuda @coreyfarrell @addaleax @bcoe (istanbuljs members from https://github.com/orgs/istanbuljs/people)

Apologies for the mass ping. Would anyone be able to help with the publish configuration on npmjs.com for this package? It’s blocking the next release.

Refs: #328 (comment)

[kentcdodds]

Looks good to me but I don't have merge access.

[SimenB]

It won't work to merge unless somebody with publish access fix the npm settings

[nemchik]

Looking at https://www.npmjs.com/package/babel-plugin-istanbul the Collaborators listed ate @gotwarlost @bcoe @coreyfarrell and what looks like a bot ( https://www.npmjs.com/~oss-bot ).

[nemchik]

A potential alternative for upstream projects (ex: jestjs/jest#15853) would be to install from GitHub rather than npmjs.

npm install github:istanbuljs/babel-plugin-istanbul#v8.0.2

I do not know all of the larger picture implications this may have.

[SimenB]

I might just fork for Jest and migrate it at least for the dep updates. Then move back if and when any istanbul maintainers (beyond myself 😀) see it

[AriPerkkio]

I might just fork for Jest and migrate it at least for the dep updates.

@SimenB not fully related to this specific PR but we (Vitest team) have also been thinking about forking Istanbul packages due to struggle getting PRs merged. 🤷

I would also be happy to start maintaining istanbuljs organization packages if there's still someone with access rights left. Or is it time for new community-driven fork?