chore: use trusted publishing for releases

Author: V3RON

.github/workflows/release.yml

@@ -29,7 +29,6 @@ jobs:
       RELEASE_MODE: ${{ github.event.inputs.mode }}
       RELEASE_REF: ${{ github.ref_name }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-      NODE_AUTH_TOKEN: ${{ secrets.NPM_ACCESS_TOKEN }}
       NPM_CONFIG_PROVENANCE: true
       GIT_AUTHOR_NAME: actions-bot
       GIT_AUTHOR_EMAIL: actions-bot@users.noreply.github.com

RELEASING.md

@@ -26,6 +26,8 @@ Canary releases publish a unique prerelease version for the current commit with
 
 Canary releases do not consume or remove version plans.
 
-## Required secrets
+## Publishing auth
 
-The workflow expects `NPM_ACCESS_TOKEN` to be configured in GitHub Actions secrets.
+Publishing is expected to use npm trusted publishing via GitHub Actions OIDC.
+
+No npm access token is required for the release workflow itself.

scripts/release/release.mjs

@@ -90,12 +90,6 @@ function ensureGithubToken() {
   }
 }
 
-function ensureNpmToken() {
-  if (!process.env.NODE_AUTH_TOKEN) {
-    fail('NODE_AUTH_TOKEN must be set');
-  }
-}
-
 function readVersion() {
   const filePath = path.join(cwd, representativePackagePath);
   const packageJson = JSON.parse(readFileSync(filePath, 'utf8'));
@@ -220,7 +214,6 @@ async function runStableRelease() {
 
   ensureRemoteBranch();
   ensureGithubToken();
-  ensureNpmToken();
 
   await release({
     yes: true,
@@ -241,14 +234,11 @@ async function runRcRelease() {
 
   ensureRemoteBranch();
   ensureGithubToken();
-  ensureNpmToken();
 
   await runRcReleaseWithVersionPlans();
 }
 
 async function runCanaryRelease() {
-  ensureNpmToken();
-
   const currentVersion = readVersion();
   const canaryVersion = getCanaryVersion(currentVersion);
   const releaseClient = new ReleaseClient({ versionPlans: false });