chore: update workflow to use trusted publishing

Author: UziTech

.github/workflows/automerge.yml

@@ -1,39 +1,39 @@
 name: "Automerge"
 on:
-  workflow_run:
-    workflows:
-      - CI
-    types:
-      - completed
+    workflow_run:
+        workflows:
+            - CI
+        types:
+            - completed
 
 jobs:
-  Automerge:
-    runs-on: ubuntu-latest
-    if: |
-      github.event.workflow_run.event == 'pull_request' &&
-      github.event.workflow_run.conclusion == 'success'
-    steps:
-      - name: 'Merge PR'
-        uses: actions/github-script@v8
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const pr = await github.rest.pulls.get({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              pull_number: context.payload.workflow_run.pull_requests[0].number,
-            });
-            if (!pr.data.title.startsWith('chore(deps-dev):')) {
-              console.log('Not Merged 🚫');
-              console.log(`Title === '${pr.data.title}'`);
-            } else if (pr.data.user.login !== 'dependabot[bot]') {
-              console.log('Not Merged 🚫');
-              console.log(`User === '${pr.data.user.login}'`);
-            } else {
-              await github.rest.pulls.merge({
-                owner: context.repo.owner,
-                repo: context.repo.repo,
-                pull_number: context.payload.workflow_run.pull_requests[0].number,
-              });
-              console.log('Merged 🎉');
-            }
+    Automerge:
+        runs-on: ubuntu-latest
+        if: |
+            github.event.workflow_run.event == 'pull_request' &&
+            github.event.workflow_run.conclusion == 'success'
+        steps:
+            - name: "Merge PR"
+              uses: actions/github-script@v8
+              with:
+                  github-token: ${{ secrets.GITHUB_TOKEN }}
+                  script: |
+                      const pr = await github.rest.pulls.get({
+                        owner: context.repo.owner,
+                        repo: context.repo.repo,
+                        pull_number: context.payload.workflow_run.pull_requests[0].number,
+                      });
+                      if (!pr.data.title.startsWith('chore(deps-dev):')) {
+                        console.log('Not Merged 🚫');
+                        console.log(`Title === '${pr.data.title}'`);
+                      } else if (pr.data.user.login !== 'dependabot[bot]') {
+                        console.log('Not Merged 🚫');
+                        console.log(`User === '${pr.data.user.login}'`);
+                      } else {
+                        await github.rest.pulls.merge({
+                          owner: context.repo.owner,
+                          repo: context.repo.repo,
+                          pull_number: context.payload.workflow_run.pull_requests[0].number,
+                        });
+                        console.log('Merged 🎉');
+                      }

.github/workflows/tests.yml

@@ -1,67 +1,66 @@
 name: "CI"
 on:
-  pull_request:
-  push:
-    branches:
-      - master
+    pull_request:
+    push:
+        branches:
+            - master
 
-jobs:
-
-  Test:
-    if: "!contains(github.event.head_commit.message, '[skip ci]')"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v6
-      - name: Install Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: '*'
-      - name: Install Dependencies
-        run: npm ci
-      - name: Run Tests 👩🏽‍💻
-        run: |
-          npm run unit-test
-          npm run func-test
-          npm run logger-test
+permissions:
+    contents: read
 
-  Lint:
-    if: "!contains(github.event.head_commit.message, '[skip ci]')"
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v6
-      - name: Install Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: 'lts/*'
-      - name: Install Dependencies
-        run: npm ci
-      - name: Lint ✨
-        run: npm run lint
+jobs:
+    Test:
+        if: "!contains(github.event.head_commit.message, '[skip ci]')"
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout Code
+              uses: actions/checkout@v6
+            - name: Install Node
+              uses: actions/setup-node@v6
+              with:
+                  node-version: "*"
+            - name: Install Dependencies
+              run: npm ci
+            - name: Run Tests 👩🏽‍💻
+              run: |
+                  npm run unit-test
+                  npm run func-test
+                  npm run logger-test
 
-  Release:
-    needs: [Test, Lint]
-    if: github.ref == 'refs/heads/master'
-    runs-on: ubuntu-latest
-    steps:
-      - name: Checkout Code
-        uses: actions/checkout@v6
-      - name: Install Node
-        uses: actions/setup-node@v6
-        with:
-          node-version: 'lts/*'
-      - name: Install Dependencies
-        run: npm ci
-      - name: Release 🎉
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-        run: npx semantic-release
+    Lint:
+        if: "!contains(github.event.head_commit.message, '[skip ci]')"
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout Code
+              uses: actions/checkout@v6
+            - name: Install Node
+              uses: actions/setup-node@v6
+              with:
+                  node-version: "lts/*"
+            - name: Install Dependencies
+              run: npm ci
+            - name: Lint ✨
+              run: npm run lint
 
-  Skip:
-    if: contains(github.event.head_commit.message, '[skip ci]')
-    runs-on: ubuntu-latest
-    steps:
-      - name: Skip CI 🚫
-        run: echo skip ci
+    Release:
+        permissions:
+            contents: write # to be able to publish a GitHub release
+            issues: write # to be able to comment on released issues
+            pull-requests: write # to be able to comment on released pull requests
+            id-token: write # to enable use of OIDC for trusted publishing and npm provenance
+        needs: [Test, Lint]
+        if: github.ref == 'refs/heads/master'
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout Code
+              uses: actions/checkout@v6
+            - name: Install Node
+              uses: actions/setup-node@v6
+              with:
+                  node-version: "lts/*"
+            - name: Install Dependencies
+              run: npm ci
+            - name: Release 🎉
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              run: npx semantic-release