chore(workflow): enable trusted publishing (#46)

chenjiahan · web-flow · commit 789ccb4e78d0 · 2025-08-28T21:48:21.000+08:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -1,4 +1,3 @@
-
 name: Release Full
 
 on:
@@ -29,25 +28,22 @@ on:
           - latest
           - beta
           - alpha
-      
+
       dry_run:
         type: boolean
         description: "DryRun release"
         required: true
         default: false
 
 permissions:
+  contents: write
   # To publish packages with provenance
   id-token: write
 
 jobs:
   release:
     name: Release
     environment: npm
-    permissions:
-      contents: write
-      # To publish packages with provenance
-      id-token: write
     runs-on: ubuntu-latest
 
     steps:
@@ -63,41 +59,21 @@ jobs:
           node-version: 20
           cache: "pnpm"
 
+      # Update npm to the latest version to enable OIDC
+      - name: Update npm
+        run: |
+          npm install -g npm@latest
+          npm --version
+
       - name: Install Dependencies
         run: pnpm install
 
       - name: Run Test
         run: pnpm run test
-      - name: Obtain OIDC token
-        id: oidc
-        run: |
-          token=$(curl --fail -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=cfa.rspack.dev" | jq -r '.value')
-          echo "::add-mask::${token}"
-          echo "token=${token}" >> $GITHUB_OUTPUT
-        shell: bash
-      - name: Obtain GitHub credentials
-        id: github_creds
-        run: |
-          token=$(curl --fail "https://cfa.rspack.dev/api/request/${{ secrets.CFA_PROJECT_ID }}/github/credentials" \
-            -X POST \
-            -H "Content-Type: application/json" \
-            -H "Authorization: bearer ${{ secrets.CFA_SECRET }}" \
-            --data "{\"token\":\"${{ steps.oidc.outputs.token }}\"}" | jq -r '.GITHUB_TOKEN')
-          echo "::add-mask::${token}"
-          echo "token=${token}" >> $GITHUB_OUTPUT
-        shell: bash
+
       - name: Try release to npm
         run: pnpm run release
         env:
           DRY_RUN: ${{ inputs.dry_run }}
           TAG: ${{ inputs.tag }}
           VERSION: ${{ inputs.version }}
-          CFA_HOST: https://cfa.rspack.dev
-          GITHUB_TOKEN: ${{ steps.github_creds.outputs.token }}
-          GITHUB_OIDC_TOKEN: ${{ steps.oidc.outputs.token }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-          CFA_PROJECT_ID: ${{ secrets.CFA_PROJECT_ID }}
-          CFA_SECRET: ${{ secrets.CFA_SECRET }}
-
-  
diff --git a/package.json b/package.json
@@ -41,7 +41,6 @@
   },
   "devDependencies": {
     "@biomejs/biome": "^1.9.4",
-    "@continuous-auth/client": "2.3.2",
     "@rslib/core": "^0.11.0",
     "@rspack/core": "1.4.11",
     "@types/jest": "29.5.14",
@@ -76,7 +75,6 @@
   "packageManager": "pnpm@10.14.0",
   "publishConfig": {
     "access": "public",
-    "registry": "https://registry.npmjs.org/",
-    "provenance": true
+    "registry": "https://registry.npmjs.org/"
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
diff --git a/scripts/release.mjs b/scripts/release.mjs
@@ -1,14 +1,12 @@
 import path from 'path';
 import * as url from 'url';
-import { getOtp } from '@continuous-auth/client';
 import { $ } from 'execa';
 import fs from 'fs-extra';
 import { inc } from 'semver';
 
 const RELEASE_TAG = process.env.TAG || 'beta';
 const RELEASE_DRY_RUN = process.env.DRY_RUN || 'true';
 const RELEASE_VERSION_TYPE = process.env.VERSION || 'prerelease';
-const RELEASE_NPM_TOKEN = process.env.NPM_TOKEN || '';
 
 const __dirname = url.fileURLToPath(new URL('.', import.meta.url));
 const PKG_PATH = path.resolve(__dirname, '../package.json');
@@ -28,29 +26,16 @@ console.info(`Updating version from ${currentVersion} to ${nextVersion}`);
 pkg.version = nextVersion;
 fs.writeJsonSync(PKG_PATH, pkg, { spaces: 2 });
 
-// Write npmrc
-const npmrcPath = `${process.env.HOME}/.npmrc`;
-console.info(`Writing npmrc to ${npmrcPath}`);
-fs.writeFileSync(
-  npmrcPath,
-  `//registry.npmjs.org/:_authToken=${RELEASE_NPM_TOKEN}`,
-);
-
 // Publish to npm
 console.info(`Publishing to npm with tag ${RELEASE_TAG}`);
 const dryRun = RELEASE_DRY_RUN === 'true' ? ['--dry-run'] : [];
-console.log('Getting OTP code');
-let otp = await getOtp();
-console.log('OTP code get, continuing...');
 
 try {
-  await $`pnpm publish ${dryRun} --tag ${RELEASE_TAG} --otp ${otp} --no-git-checks --provenance`;
+  await $`pnpm publish ${dryRun} --tag ${RELEASE_TAG} --no-git-checks`;
   console.info(`Published successfully`);
 } catch (e) {
   console.error(`Publish failed: ${e.message}`);
   process.exit(1);
-} finally {
-  fs.removeSync(npmrcPath);
 }
 
 // Push tag to github
