ci: use npm trusted publishing instead of CFA (#160)

Author: dsanders11

.github/workflows/publish-npm.yml

@@ -16,48 +16,24 @@ jobs:
     environment: npm
     permissions:
       contents: write # for creating new release
-      id-token: write # for CFA
+      id-token: write # for publishing releases
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
       - name: "Use Node.js ${{ matrix.node-version }}"
         uses: actions/setup-node@1e60f620b9541d16bece96c5465dc8ee9832be0b # v4.0.3
         with:
-          node-version: "20.16.0"
+          node-version: "20.17.0"
+      - name: Update npm to version that supports trusted publishing
+        run: npm install -g npm@^11.5.1
       - name: Update Version
         run: node script/update-version.js ${{ github.ref_name }}
       - name: Confirm Version Updated
         run: node -e "if (require('./package.json').version === '0.0.0-development') process.exit(1)"
       - name: Install Dependencies
         run: npm ci
-      - name: Obtain OIDC token
-        id: oidc
-        run: |
-          token=$(curl --fail -H "Authorization: bearer $ACTIONS_ID_TOKEN_REQUEST_TOKEN" \
-            "$ACTIONS_ID_TOKEN_REQUEST_URL&audience=continuousauth.dev" | jq -r '.value')
-          echo "::add-mask::${token}"
-          echo "token=${token}" >> $GITHUB_OUTPUT
-      - name: Obtain GitHub credentials
-        id: github_creds
-        run: |
-          token=$(curl --fail "https://continuousauth.dev/api/request/${{ secrets.CFA_PROJECT_ID }}/github/credentials" \
-            -X POST \
-            -H "Content-Type: application/json" \
-            -H "Authorization: bearer ${{ secrets.CFA_SECRET }}" \
-            --data "{\"token\":\"${{ steps.oidc.outputs.token }}\"}" | jq -r '.GITHUB_TOKEN')
-          echo "::add-mask::${token}"
-          echo "token=${token}" >> $GITHUB_OUTPUT
-      - name: Set NPM Credentials
-        run: echo //registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }} > ~/.npmrc
-      - name: Check NPM Credentials
-        run: npm whoami
-      - name: CFA Publish
-        timeout-minutes: 60
-        env:
-          CFA_PROJECT_ID: ${{ secrets.CFA_PROJECT_ID }}
-          CFA_SECRET: ${{ secrets.CFA_SECRET }}
-          GITHUB_OIDC_TOKEN: ${{ steps.oidc.outputs.token }}
-        run: node script/publish.js
+      - name: Publish to npm
+        run: npm publish
       - name: Create Release
         env:
-          GITHUB_TOKEN: ${{ steps.github_creds.outputs.token }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: gh release create ${{ github.ref_name }} -t ${{ github.ref_name }}

.github/workflows/release.yml

@@ -25,7 +25,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           token: ${{ steps.generate-token.outputs.token }}
-      # Tag here, the publish-npm.yml workflow will trigger on the new tag and do the CFA publish
+      # Tag here, the publish-npm.yml workflow will trigger on the new tag and do the publish
       - name: Push New Tag
         run: |
           git tag ${{ github.event.inputs.version }}

.github/workflows/test.yml

@@ -27,7 +27,7 @@ jobs:
     strategy:
       matrix:
         node-version:
-          - '20.16.0'
+          - '20.17.0'
           - '18.20.4'
           - '16.20.2'
           - '14.21.3'