fix: use npm OIDC

Check upstash/ratelimit-js#149 for more details

Author: CahidArda

.github/workflows/ci.yml

@@ -0,0 +1,26 @@
+name: CI
+
+on:
+  pull_request:
+  release:
+    types:
+      - published
+  schedule:
+    - cron: "0 0 * * *"
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  tests:
+    if: github.event_name != 'release'
+    uses: ./.github/workflows/test.yaml
+    secrets: inherit
+
+  release:
+    if: github.event_name == 'release'
+    uses: ./.github/workflows/release.yaml
+    with:
+      prerelease: ${{ github.event.release.prerelease }}
+    secrets: inherit

.github/workflows/release.yaml

@@ -1,17 +1,19 @@
 name: Release
 
 on:
-  release:
-    types:
-      - published
+  workflow_call:
+    inputs:
+      prerelease:
+        type: boolean
+        required: true
 
 jobs:
   release:
     name: Release
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Set env
         run: echo "VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV
@@ -30,19 +32,22 @@ jobs:
       - name: Build
         run: bun run build
 
-      - name: Set NPM_TOKEN
-        run: npm set "//registry.npmjs.org/:_authToken" ${{ secrets.NPM_TOKEN }}
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          registry-url: https://registry.npmjs.org
 
       - name: Publish
-        if: "!github.event.release.prerelease"
+        if: ${{ !inputs.prerelease }}
         working-directory: ./dist
         run: |
           npm pkg delete scripts.prepare
-          npm publish --access public
+          npm publish --provenance --access public
 
       - name: Publish release candidate
-        if: "github.event.release.prerelease"
+        if: ${{ inputs.prerelease }}
         working-directory: ./dist
         run: |
           npm pkg delete scripts.prepare
-          npm publish --access public --tag=canary
+          npm publish --provenance --access public --tag=canary

.github/workflows/test.yaml

@@ -1,6 +1,7 @@
 name: Tests
+
 on:
-  pull_request:
+  workflow_call:
 
 env:
   QSTASH_TOKEN: ${{ secrets.QSTASH_TOKEN }}
@@ -589,17 +590,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
 
       - name: Get version
         id: version
         run: echo "::set-output name=version::v0.0.0-ci.${GITHUB_SHA}-$(date +%Y%m%d%H%M%S)"
 
-      - name: Setup Node
-        uses: actions/setup-node@v3
-        with:
-          node-version: 18
-
       - name: Setup Bun
         uses: oven-sh/setup-bun@v1
         with:
@@ -615,12 +611,17 @@ jobs:
       - name: Build
         run: bun run build
 
-      - name: Set NPM_TOKEN
-        run: npm config set //registry.npmjs.org/:_authToken=${{secrets.NPM_TOKEN}}
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: 24
+          registry-url: https://registry.npmjs.org
 
       - name: Publish ci version
-        run: npm publish --tag=ci --verbose
+        run: npm publish --provenance --tag=ci --verbose
         working-directory: ./dist
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
 
       - name: Sleep for 10s
         run: sleep 10s
@@ -633,9 +634,9 @@ jobs:
       - release
     steps:
       - name: Setup repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20
 
@@ -664,9 +665,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup nodejs
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20
 
@@ -713,9 +714,9 @@ jobs:
       - release
     steps:
       - name: Setup repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 18
 
@@ -749,9 +750,9 @@ jobs:
       - release
     steps:
       - name: Setup repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20
 
@@ -780,9 +781,9 @@ jobs:
       - release
     steps:
       - name: Setup repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20
 
@@ -811,9 +812,9 @@ jobs:
       - release
     steps:
       - name: Setup repo
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup node
-        uses: actions/setup-node@v3
+        uses: actions/setup-node@v4
         with:
           node-version: 20
 
@@ -833,4 +834,4 @@ jobs:
 
       - name: Test
         run: pnpm test
-        working-directory: examples/express
+        working-directory: examples/express