ci: migrate npm release workflow to trusted publishing

Author: 7nohe

.github/workflows/comment-release.yml

@@ -2,20 +2,38 @@ name: release
 
 permissions:
   contents: write
+  id-token: write
+  issues: write
 
 on:
   push:
     tags:
       - 'v*'
+  issue_comment:
+    types:
+      - created
 
 jobs:
   release:
+    if: ${{ github.event_name == 'push' || (github.event.issue.pull_request && github.event.comment.body == 'npm publish') }}
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - if: ${{ github.event_name == 'push' }}
+        uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - if: ${{ github.event_name == 'issue_comment' }}
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: ⬇️ Checkout PR
+        if: ${{ github.event_name == 'issue_comment' }}
+        run: |
+          git fetch origin pull/${{ github.event.issue.number }}/head:pr-find-commit
+          git checkout pr-find-commit
+
       - name: Install pnpm
         uses: pnpm/action-setup@v3
         with:
@@ -24,18 +42,52 @@ jobs:
       - name: Install Node.js
         uses: actions/setup-node@v4
         with:
-          node-version: 20
+          node-version: 24
           cache: "pnpm"
           registry-url: 'https://registry.npmjs.org'
 
-      - run: npx changelogithub
+      - name: Create GitHub release notes
+        if: ${{ github.event_name == 'push' }}
+        run: npx changelogithub
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
 
+      - name: Set prerelease package version
+        if: ${{ github.event_name == 'issue_comment' }}
+        run: npm version --no-git-tag-version 0.0.0-$(git rev-parse HEAD)
+
       - name: Install dependencies
         run: pnpm install
 
-      - run: pnpm publish --no-git-checks
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-  
+      - name: Publish release
+        if: ${{ github.event_name == 'push' }}
+        run: pnpm publish --no-git-checks
+
+      - name: Publish prerelease
+        if: ${{ github.event_name == 'issue_comment' }}
+        run: pnpm publish --no-git-checks --tag pre
+
+      - name: Update comment
+        if: ${{ github.event_name == 'issue_comment' }}
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const { issue: { number: issue_number }, repo: { owner, repo }, payload } = context;
+            const fs = require('fs');
+            const jsonString = fs.readFileSync(`${process.env.GITHUB_WORKSPACE}/package.json`);
+            const packageJson = JSON.parse(jsonString);
+            const { name: packageName, version } = packageJson;
+
+            const body = [
+              'npm package published to pre tag.',
+              `\`\`\`bash\nnpm install ${packageName}@pre\n\`\`\``,
+              `\`\`\`bash\nnpm install ${packageName}@${version}\n\`\`\``,
+            ].join('\n\n');
+
+            await github.rest.issues.updateComment({
+              owner,
+              repo,
+              comment_id: payload.comment.id,
+              body,
+            });