Add trusted publishing (#791)

Author: ericglau

.github/actions/setup/action.yml

@@ -7,6 +7,7 @@ runs:
       with:
         node-version: 22
         cache: yarn
+        registry-url: 'https://registry.npmjs.org'
 
     - name: Install dependencies
       run: yarn --frozen-lockfile --prefer-offline --network-concurrency 1

.github/workflows/publish.yml

@@ -11,6 +11,7 @@ jobs:
     permissions:
       contents: write
       pull-requests: write
+      id-token: write
     runs-on: ubuntu-latest
     environment: publish
     steps:
@@ -20,6 +21,51 @@ jobs:
           ref: ${{ github.ref }}
       - name: Set up environment
         uses: ./.github/actions/setup
+      - name: Install npm 11 for OIDC trusted publishing
+        run: npm install -g npm@11.12.1
+      - name: Check for new packages
+        id: check-packages
+        run: |
+          : > "$RUNNER_TEMP/new_packages.txt"
+          while IFS=: read -r pkg dir; do
+            npm_stderr_file="$RUNNER_TEMP/npm-view-${pkg//[^a-zA-Z0-9]/_}.stderr"
+            if npm view "$pkg" version > /dev/null 2> "$npm_stderr_file"; then
+              echo "Existing package: $pkg"
+              rm -f "$npm_stderr_file"
+              continue
+            fi
+
+            npm_error="$(tr '\n' ' ' < "$npm_stderr_file")"
+            rm -f "$npm_stderr_file"
+
+            if [[ "$npm_error" == *"E404"* || "$npm_error" == *"404"* || "$npm_error" == *"Not Found"* ]]; then
+              echo "New package detected: $pkg ($dir)"
+              echo "$dir" >> "$RUNNER_TEMP/new_packages.txt"
+            else
+              echo "::error::npm view failed for $pkg: ${npm_error:-Unknown error}"
+              exit 1
+            fi
+          done < <(yarn workspaces --json info | node -e "
+            const info = JSON.parse(JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')).data);
+            for (const [name, meta] of Object.entries(info)) {
+              const pkgJson = require('./' + meta.location + '/package.json');
+              if (!pkgJson.private) console.log(name + ':' + meta.location);
+            }
+          ")
+
+          has_new_packages=false
+          if [ -s "$RUNNER_TEMP/new_packages.txt" ]; then
+            echo "::notice::New packages detected — will use NPM token for publish"
+            has_new_packages=true
+          else
+            echo "All packages exist on npm — using OIDC trusted publishing"
+          fi
+          echo "has_new_packages=$has_new_packages" >> "$GITHUB_OUTPUT"
+      - name: Enable NPM token publishing
+        if: steps.check-packages.outputs.has_new_packages == 'true'
+        run: echo "NODE_AUTH_TOKEN=${NPM_TOKEN}" >> "$GITHUB_ENV"
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
       - name: Create Prepare Release PR or Publish
         id: changesets
         uses: changesets/action@e0145edc7d9d8679003495b11f87bd8ef63c0cba # v1.5.3
@@ -31,7 +77,7 @@ jobs:
           commitMode: github-api
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+          NPM_CONFIG_PROVENANCE: true
       - name: Check changesets status
         if: steps.changesets.outputs.hasChangesets == 'true'
         run: |