chore(ci): use npm trusted publish (#11343)

* chore: use npm oidc

* feat: use npm trusted publish

Author: stormslowly

.github/workflows/release-canary.yml

@@ -75,6 +75,7 @@ jobs:
     name: Release Canary
     runs-on: ubuntu-latest
     needs: build
+    environment: npm-canary
     steps:
       - name: Checkout Branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -105,10 +106,14 @@ jobs:
       - name: Resolve dependencies for bindings
         run: pnpm install --no-frozen-lockfile
 
+      # Update npm to the latest version to enable OIDC
+      - name: Update npm
+        run: |
+          npm install -g npm@latest
+          npm --version
+
       - name: Release
         run: |
           ./x version snapshot
           pnpm run build:js:canary
           ./x publish snapshot --tag latest
-        env:
-          NPM_TOKEN: ${{ secrets.RSPACK_CANARY_RELEASE_TOKEN }}

.github/workflows/release-debug.yml

@@ -30,6 +30,7 @@ jobs:
     name: Release Debug
     runs-on: ubuntu-latest
     needs: build
+    environment: npm-canary
     steps:
       - name: Checkout Branch
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
@@ -60,10 +61,14 @@ jobs:
       - name: Resolve dependencies for bindings
         run: pnpm install --no-frozen-lockfile
 
+      # Update npm to the latest version to enable OIDC
+      - name: Update npm
+        run: |
+          npm install -g npm@latest
+          npm --version
+
       - name: Release Debug
         run: |
           pnpm run build:js
           ./x version debug
           ./x publish stable --tag latest
-        env:
-          NPM_TOKEN: ${{ secrets.RSPACK_CANARY_RELEASE_TOKEN }}

.github/workflows/release-otp.yml

@@ -14,6 +14,7 @@ on:
           - latest
           - beta
           - alpha
+          - rc
       test:
         type: boolean
         description: "Run tests before release"
@@ -78,6 +79,7 @@ jobs:
 
   release:
     name: Release
+    environment: npm
     permissions:
       contents: write
       # To publish packages with provenance
@@ -103,6 +105,9 @@ jobs:
         with:
           path: artifacts
 
+      - name: Clean artifacts
+        run: find artifacts -type f -name '*.d.ts'  | xargs rm -f
+
       - name: Build node packages
         run: pnpm run build:js
 
@@ -115,11 +120,16 @@ jobs:
       - name: Link optional dependencies
         run: pnpm install --no-frozen-lockfile
 
+      # Update npm to the latest version to enable OIDC
+      - name: Update npm
+        run: |
+          npm install -g npm@latest
+          npm --version
+
       - name: Release Full
         run: |
           ./x publish stable --tag ${{inputs.tag}} ${{inputs.dry_run && '--dry-run' || '--no-dry-run'}} ${{inputs.push_tags && '--push-tags' || '--no-push-tags'}}
         env:
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           REPOSITORY: ${{ github.repository }}
           REF: ${{ github.ref }}
           ONLY_RELEASE_TAG: true