Enforce NPM trusted-publishers as mitigation

[RafaelGSS]

Due to recent supply chain attacks caused by phishing, relying on this new OIDC authentication for publishing new packages would add a new barrier to those who attempt to introduce malicious code to packages. People still can be tricked into running the action and publishing the package, but I'd say the scope is less sensitive than hijacking the NPM_TOKEN.

I wonder if we can make this a must for OpenJS Foundation projects.

https://docs.npmjs.com/trusted-publishers

[RafaelGSS]

Ok, just found out that enabling trusted-publishing doesn't automatically disallow the legacy methods, so it won't solve the problem.

[sheplu]

As of today there is no "one solution". it will require configuration on multiple tooling. I am writing a setup that I demoed yesterday for the Express organization but this is not a silver bullet and to enforce the right 2FA security level it will require some custom implementation and code