ci(release): harden security [AR-63091] (#467)

Restructure the release workflow so only the publish part has access to
the OIDC token.
See: https://tanstack.com/blog/npm-supply-chain-compromise-postmortem

Author: StyleShit

.github/actions/install/action.yml

@@ -1,6 +1,12 @@
 name: Install
 description: Install Node.js, pnpm, and dependencies
 
+inputs:
+  skip-install:
+    description: Skip installation of dependencies
+    required: false
+    default: false
+
 runs:
   using: composite
   steps:
@@ -15,6 +21,7 @@ runs:
         node-version-file: .nvmrc
 
     - name: Install Dependencies
+      if: ${{ inputs.skip-install != 'true' }}
       shell: bash
       env:
         # Skip Husky installation.

.github/workflows/release.yml

@@ -10,8 +10,8 @@ concurrency: ${{ github.workflow }} @ ${{ github.ref }}
 permissions: {}
 
 jobs:
-  release:
-    name: Release
+  prepare:
+    name: Prepare
     runs-on: ubuntu-latest
 
     if: github.repository_owner == 'drivenets'
@@ -20,7 +20,9 @@ jobs:
       contents: write # to create release (changesets/action)
       issues: write # to post issue comments (changesets/action)
       pull-requests: write # to create pull request (changesets/action)
-      id-token: write # for npm trusted publishing
+
+    outputs:
+      should-publish: ${{ steps.changesets.outputs.hasChangesets == 'false' }}
 
     steps:
       - name: Checkout source code
@@ -29,21 +31,33 @@ jobs:
           fetch-depth: 0
           filter: 'blob:none'
 
-      - name: Install pnpm
-        uses: pnpm/action-setup@91ab88e2619ed1f46221f0ba42d1492c02baf788 # v6.0.6
-        with:
-          cache: true
+      - name: Install Dependencies
+        uses: ./.github/actions/install
 
-      - name: Install Node.js
-        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
+      - name: Create or update release PR
+        id: changesets
+        uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
         with:
-          node-version-file: .nvmrc
+          commit: 'chore(release): publish'
+          title: 'chore(release): publish'
 
-      - name: Ensure updated npm
-        run: npm install -g npm@11.7.0 # npm >= 11.5.1 is required for trusted publishing
+  build:
+    name: Build for publish
+    needs: prepare
+    if: needs.prepare.outputs.should-publish == 'true'
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
 
       - name: Install Dependencies
-        run: pnpm i
+        uses: ./.github/actions/install
 
       - name: Cache turbo
         uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
@@ -53,11 +67,54 @@ jobs:
           restore-keys: |
             ${{ runner.os }}-turbo-build-
 
-      - name: Create release PR or publish
+      - name: Build packages
+        run: pnpm build
+
+      - name: Upload build
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: release-build
+          path: packages/*/dist
+          if-no-files-found: error
+          retention-days: 1
+          include-hidden-files: false
+
+  # WARNING:
+  #   For security reasons, this is the only job that should have `id-token: write` permissions.
+  #   We don't want dependencies and build scripts to have access to this token.
+  publish:
+    name: Publish
+    needs: build
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: write # to create release (changesets/action)
+      id-token: write # for npm trusted publishing
+
+    steps:
+      - name: Checkout source code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      - name: Install Dependencies
+        uses: ./.github/actions/install
+        with:
+          skip-install: true
+
+      - name: Ensure updated npm
+        run: npm install -g npm@11.7.0 # npm >= 11.5.1 is required for trusted publishing
+
+      - name: Install changeset
+        run: pnpm install -g @changesets/cli@^2.30.0
+
+      - name: Download build
+        uses: actions/download-artifact@484a0b528fb4d7bd804637ccb632e47a0e638317 # v8.0.1
+        with:
+          name: release-build
+          path: packages
+
+      - name: Publish
         uses: changesets/action@63a615b9cd06ba9a3e6d13796c7fbcb080a60a0b # v1.8.0
         with:
-          publish: pnpm run release
-          commit: 'chore(release): publish'
-          title: 'chore(release): publish'
+          publish: changeset publish
         env:
           NPM_TOKEN: '' # https://github.com/changesets/action/issues/542#issuecomment-3642334398

package.json

@@ -23,7 +23,6 @@
 		"build": "turbo run build",
 		"build:storybook": "turbo run build:storybook",
 		"changelog": "changeset",
-		"release": "pnpm build && changeset publish",
 		"prepare": "husky",
 		"pre-commit": "lint-staged"
 	},