ci: migrate to npm trusted publishing (#1967)

- Add id-token: write permission for OIDC
- Remove NPM_TOKEN dependency
- Add --provenance flag to lerna publish

This enables npm's trusted publishing using OpenID Connect,
eliminating the need for long-lived npm tokens.

Author: just-jeb

.github/workflows/ci.yml

@@ -10,6 +10,9 @@ jobs:
   build:
     if: (!contains(github.event.head_commit.message, 'ci(release)'))
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     strategy:
       fail-fast: true
 
@@ -44,11 +47,8 @@ jobs:
 
       - name: Publish to NPM
         if: github.ref == 'refs/heads/master'
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
-          git reset --hard	
+          git reset --hard
           git config --global user.name ${{ secrets.GIT_USER }}
           git config --global user.email ${{ secrets.GIT_EMAIL }}
-          npm config set //registry.npmjs.org/:_authToken=$NPM_TOKEN
           bash scripts/default-registry.sh

.github/workflows/graduate.yml

@@ -6,6 +6,9 @@ on:
 jobs:
   build_and_graduate:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: write
     strategy:
       fail-fast: true
 
@@ -35,11 +38,8 @@ jobs:
         run: yarn ci
 
       - name: Graduate beta release to NPM
-        env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
-          git reset --hard	
+          git reset --hard
           git config --global user.name ${{ secrets.GIT_USER }}
           git config --global user.email ${{ secrets.GIT_EMAIL }}
-          npm config set //registry.npmjs.org/:_authToken=$NPM_TOKEN
-          npm run graduate -- --yes
+          npm run graduate -- --yes --provenance

scripts/default-registry.sh

@@ -1,4 +1,4 @@
 
 #!/bin/bash
 
-yarn lerna publish --dist-tag=next --preid=beta --conventional-prerelease --yes
+yarn lerna publish --dist-tag=next --preid=beta --conventional-prerelease --yes --provenance