Makes the release script publish to npm (#168)

I'm working to make Yarn Switch use the binaries from npm to avoid
potential availability issues should we use our own endpoints and
misconfigure cache etc. It'll also make it easier to guarantee
immutability or some other security requirements like provenance.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Introduces npm distribution of release artifacts and tightens npm/OIDC
integration and provenance generation.
> 
> - New GitHub Actions `npm` job: unpacks built artifacts, creates
per-target npm packages (`@yarnpkg/yarn-<target>`), and publishes them
with GitHub OIDC (env `id-token: write`)
> - Build matrix adds `i686-unknown-linux-musl`; release step wiring
adjusted
> - `zpm` npm publish path fixes: proper scoped package encoding (`%2f`)
and shared URL constructors
> - OIDC improvements: new `get_id_token` with explicit `audience`
(derived from registry host or `sigstore`), GitHub Actions ID token
response uses `value`, and audience query param added
> - Provenance fixes: correct `GITHUB_WORKFLOW_REF` split (`@`) and
builder ID format; generate sigstore payload via fetched token
> - Add `url` crate (with error variant) and bump `zpm-switch` to
`6.0.0-rc.9`
> - Lockfile updates for related deps (e.g., `url`, `idna`,
`percent-encoding`)
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
fdb5419. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

Author: arcanis

.github/workflows/releases.yml

@@ -50,6 +50,8 @@ jobs:
             os: ubuntu-latest
           - target: aarch64-unknown-linux-musl
             os: ubuntu-latest
+          - target: i686-unknown-linux-musl
+            os: ubuntu-latest
           - target: aarch64-apple-darwin
             os: macos-latest
 
@@ -79,7 +81,6 @@ jobs:
             yarn-${{matrix.target}}.zip
 
   release:
-    if: needs.check.outputs.needs-release == 'true'
     needs: [check, build]
 
     name: 'Creating a release'
@@ -114,3 +115,138 @@ jobs:
             artifacts/*
         env:
           GH_TOKEN: ${{github.token}}
+
+  npm:
+    needs: [check, build]
+
+    name: 'Publishing to npm'
+    runs-on: ubuntu-latest
+
+    environment: releases
+
+    permissions:
+      contents: read
+      id-token: write
+
+    steps:
+      - name: Checkout the repo
+        uses: actions/checkout@v4
+
+      - name: Download artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+          merge-multiple: true
+
+      - name: Unpack the build of Yarn we just created
+        uses: actions/github-script@v8
+        env:
+          VERSION: ${{needs.check.outputs.version}}
+        with:
+          script: |
+            const cp = require(`child_process`);
+            const fs = require(`fs`);
+            const path = require(`path`);
+
+            const artifacts = fs.readdirSync(`artifacts`, {
+              withFileTypes: true,
+            });
+
+            function includes(str, search) {
+              return str.split(/-/).includes(search);
+            }
+
+            function findFirst(str, map) {
+              return Object.entries(map).find(([, value]) => includes(str, value))[0];
+            }
+
+            for (const artifact of artifacts) {
+              if (!artifact.isFile() || !artifact.name.startsWith('yarn-'))
+                continue;
+
+              const targetName = artifact.name.replace(`.zip`, ``);
+              const destinationPath = path.join(artifact.parentPath, targetName);
+              const sourcePath = path.join(artifact.parentPath, artifact.name);
+
+              cp.execFileSync(`unzip`, [`-d`, destinationPath, sourcePath]);
+
+              const ext = includes(targetName, `windows`) ? `.exe` : ``;
+
+              // We don't need to distribute Yarn Switch itself
+              fs.unlinkSync(path.join(destinationPath, `yarn`));
+
+              // Rename the binary to `yarn`
+              fs.renameSync(path.join(destinationPath, `yarn-bin${ext}`), path.join(destinationPath, `yarn${ext}`));
+
+              // Make it executable
+              fs.chmodSync(path.join(destinationPath, `yarn${ext}`), 0o755);
+
+              const cpu = findFirst(targetName, {
+                x64: `x86_64`,
+                arm64: `aarch64`,
+                ia32: `i686`,
+              });
+
+              const os = findFirst(targetName, {
+                linux: `linux`,
+                darwin: `darwin`,
+              });
+
+              fs.writeFileSync(path.join(destinationPath, `package.json`), `${JSON.stringify({
+                name: `@yarnpkg/${targetName}`,
+                version: process.env.VERSION,
+                license: `GPL-3.0`,
+                cpu: [cpu],
+                os: [os],
+                bin: {
+                  yarn: `yarn${ext}`,
+                },
+                repository: {
+                  type: `git`,
+                  url: `git+https://github.com/yarnpkg/zpm.git`,
+                },
+              }, null, 2)}\n`);
+
+              fs.writeFileSync(path.join(destinationPath, `yarn.lock`), ``);
+            }
+
+      - name: Add the bin directory to the PATH
+        run: |
+          echo "$PWD/artifacts/yarn-x86_64-unknown-linux-musl" >> $GITHUB_PATH
+
+      - name: Generate the packages
+        uses: actions/github-script@v8
+        env:
+          YARN_NPM_AUTH_TOKEN: ${{secrets.TEMPORARY_NPM_PUBLISH_TOKEN}}
+        with:
+          script: |
+            const cp = require(`child_process`);
+            const fs = require(`fs`);
+            const path = require(`path`);
+
+            const artifacts = fs.readdirSync(`artifacts`, {
+              withFileTypes: true,
+            });
+
+            for (const artifact of artifacts) {
+              if (!artifact.isDirectory() || !artifact.name.startsWith('yarn-'))
+                continue;
+
+              const artifactPath = path.join(artifact.parentPath, artifact.name);
+              console.log(`Publishing ${artifactPath}`);
+
+              cp.execFileSync(`yarn`, [`install`], {
+                stdio: `inherit`,
+                cwd: artifactPath,
+              });
+
+              cp.execFileSync(`yarn`, [`npm`, `whoami`], {
+                  stdio: `inherit`,
+                  cwd: artifactPath,
+              });
+
+              cp.execFileSync(`yarn`, [`npm`, `publish`, `--access`, `public`], {
+                stdio: `inherit`,
+                cwd: artifactPath,
+              });
+            }

Cargo.lock

@@ -1,6 +1,6 @@
 [package]
 name = "zpm-switch"
-version = "6.0.0-rc.8"
+version = "6.0.0-rc.9"
 edition = "2021"
 
 [[bin]]

packages/zpm-switch/Cargo.toml

@@ -51,3 +51,4 @@ hex = "0.4.3"
 p256 = "0.13.2"
 spki = "0.7.3"
 ring = "0.17.14"
+url = "2.5.7"

packages/zpm/Cargo.toml

@@ -8,7 +8,7 @@ use zpm_parsers::{JsonDocument, json_provider};
 use zpm_utils::{IoResultExt, Provider, Sha1, Sha512, ToFileString, ToHumanString, is_ci};
 
 use crate::{
-    error::Error, http::HttpClient, http_npm::{self, AuthorizationMode, NpmHttpParams}, npm, pack::{PackOptions, pack_workspace}, project::Project, provenance::attest, script::ScriptEnvironment
+    error::Error, http::HttpClient, http_npm::{self, AuthorizationMode, GetIdTokenOptions, NpmHttpParams}, npm, pack::{PackOptions, pack_workspace}, project::Project, provenance::attest, script::ScriptEnvironment
 };
 
 #[zpm_enum(or_else = |s| Err(Error::InvalidNpmPublishAccess(s.to_string())))]
@@ -182,14 +182,14 @@ impl Publish {
                 digest: provenance_digest,
             };
 
-            let oidc_token
-                = authorization.as_deref()
-                    .ok_or(Error::ProvenanceRequiresAuthentication)?
-                    .strip_prefix("Bearer ")
-                    .ok_or(Error::ProvenanceRequiresAuthentication)?;
+            let sigstore_token
+                = http_npm::get_id_token(&GetIdTokenOptions {
+                    http_client: &project.http_client,
+                    audience: "sigstore",
+                }).await?;
 
             let provenance_payload
-                = create_provenance_payload(&project.http_client, &provenance_file, &oidc_token).await?;
+                = create_provenance_payload(&project.http_client, &provenance_file, &sigstore_token.unwrap()).await?;
 
             if let Some(provenance_payload) = provenance_payload {
                 attachments.insert(
@@ -545,7 +545,7 @@ fn create_github_provenance_payload(subject: &ProvenanceSubject) -> Result<Strin
         = std::env::var("GITHUB_SERVER_URL")?;
 
     let (workflow_path, workflow_ref)
-        = github_workflow_ref.split_once('/')
+        = github_workflow_ref.split_once('@')
             .unwrap_or_else(|| panic!("Expected workflow path and ref to both exist (got '{}' instead)", github_workflow_ref));
 
     let workflow_repository
@@ -581,7 +581,7 @@ fn create_github_provenance_payload(subject: &ProvenanceSubject) -> Result<Strin
             },
             run_details: GitHubProvenanceRunDetails {
                 builder: GitHubProvenanceBuilder {
-                    id: format!("{}{}", GITHUB_BUILDER_ID_PREFIX, std::env::var("RUNNER_ENVIRONMENT")?),
+                    id: format!("{}/{}", GITHUB_BUILDER_ID_PREFIX, std::env::var("RUNNER_ENVIRONMENT")?),
                 },
                 metadata: GitHubProvenanceMetadata {
                     invocation_id: format!("{}/{}/actions/runs/{}/attempts/{}", std::env::var("GITHUB_SERVER_URL")?, std::env::var("GITHUB_REPOSITORY")?, std::env::var("GITHUB_RUN_ID")?, std::env::var("GITHUB_RUN_ATTEMPT")?),

packages/zpm/src/commands/npm/publish.rs

@@ -141,6 +141,9 @@ pub enum Error {
     #[error("Semver error ({0})")]
     SemverError(#[from] zpm_semver::Error),
 
+    #[error("URL error ({0})")]
+    UrlError(#[from] url::ParseError),
+
     #[error("Invalid ident ({0})")]
     InvalidIdent(String),
 

packages/zpm/src/error.rs

@@ -129,7 +129,23 @@ pub fn should_authenticate(options: &GetAuthorizationOptions<'_>) -> bool {
     }
 }
 
-async fn get_id_token(options: &GetAuthorizationOptions<'_>) -> Result<Option<String>, Error> {
+pub struct GetIdTokenOptions<'a> {
+    pub http_client: &'a HttpClient,
+    pub audience: &'a str,
+}
+
+fn get_npm_audience(registry: &str) -> Result<String, Error> {
+    let registry_url
+        = url::Url::parse(registry)?;
+
+    let registry_host
+        = registry_url.host_str()
+            .expect("\"http:\" URL should have a host");
+
+    Ok(format!("npm:{}", registry_host))
+}
+
+pub async fn get_id_token(options: &GetIdTokenOptions<'_>) -> Result<Option<String>, Error> {
     if let Ok(oidc_token) = std::env::var("NPM_ID_TOKEN") {
         return Ok(Some(oidc_token));
     }
@@ -142,6 +158,12 @@ async fn get_id_token(options: &GetAuthorizationOptions<'_>) -> Result<Option<St
         return Ok(None);
     };
 
+    let mut actions_id_token_request_url
+        = url::Url::parse(&actions_id_token_request_url)?;
+
+    actions_id_token_request_url.query_pairs_mut()
+        .append_pair("audience", options.audience);
+
     let response
         = options.http_client.get(actions_id_token_request_url)?
             .header("authorization", Some(format!("Bearer {}", actions_id_token_request_token)))
@@ -153,13 +175,13 @@ async fn get_id_token(options: &GetAuthorizationOptions<'_>) -> Result<Option<St
 
     #[derive(Deserialize)]
     struct ActionsIdTokenResponse {
-        token: String,
+        value: String,
     }
 
     let data: ActionsIdTokenResponse
         = JsonDocument::hydrate_from_str(&body)?;
 
-    Ok(Some(data.token))
+    Ok(Some(data.value))
 }
 
 fn get_ident_url(ident: &Ident) -> String {
@@ -179,7 +201,10 @@ async fn get_oidc_token(options: &GetAuthorizationOptions<'_>) -> Result<Option<
     };
 
     let id_token
-        = get_id_token(options).await?;
+        = get_id_token(&GetIdTokenOptions {
+            http_client: options.http_client,
+            audience: &get_npm_audience(&options.registry)?,
+        }).await?;
 
     let Some(id_token) = id_token else {
         return Ok(None);