ci: use oidc connect to deploy pkg

Author: hyochan

.github/workflows/publish.yml

@@ -0,0 +1,116 @@
+name: Publish to npm
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version bump type'
+        required: true
+        type: choice
+        options:
+          - patch
+          - minor
+          - major
+      dry-run:
+        description: 'Dry run (test without publishing)'
+        required: false
+        type: boolean
+        default: false
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  publish:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+          # Trusted Publishers (OIDC) 사용 - NPM_TOKEN 불필요
+
+      - name: Setup pnpm
+        uses: pnpm/action-setup@v4
+
+      - name: Configure git
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "github-actions[bot]@users.noreply.github.com"
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build packages
+        run: pnpm build
+
+      - name: Run type check
+        run: pnpm typecheck
+
+      - name: Run tests
+        run: pnpm test
+
+      - name: Bump version
+        if: ${{ !inputs.dry-run }}
+        run: |
+          case "${{ inputs.version }}" in
+            patch)
+              pnpm version:patch
+              ;;
+            minor)
+              pnpm version:minor
+              ;;
+            major)
+              pnpm version:major
+              ;;
+          esac
+
+      - name: Get new version
+        if: ${{ !inputs.dry-run }}
+        id: version
+        run: |
+          VERSION=$(node -p "require('./packages/kstyled/package.json').version")
+          echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
+          echo "New version: $VERSION"
+
+      - name: Commit version bump
+        if: ${{ !inputs.dry-run }}
+        run: |
+          git add .
+          git commit -m "chore: release v${{ steps.version.outputs.VERSION }}"
+          git tag v${{ steps.version.outputs.VERSION }}
+
+      - name: Publish to npm (dry-run)
+        if: ${{ inputs.dry-run }}
+        run: pnpm publish:dry
+
+      - name: Publish to npm
+        if: ${{ !inputs.dry-run }}
+        run: pnpm publish:packages --provenance --no-git-checks
+        # Trusted Publishers (OIDC) 사용으로 NODE_AUTH_TOKEN 불필요
+
+      - name: Push changes
+        if: ${{ !inputs.dry-run }}
+        run: |
+          git push origin main
+          git push origin v${{ steps.version.outputs.VERSION }}
+
+      - name: Create GitHub Release
+        if: ${{ !inputs.dry-run }}
+        uses: actions/create-release@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          tag_name: v${{ steps.version.outputs.VERSION }}
+          release_name: Release v${{ steps.version.outputs.VERSION }}
+          draft: false
+          prerelease: false