chore(NODE-7563): migrate main release workflows to npm trusted publishers (#4941)

tadjik1 · web-flow · commit 90f6967eba8a · 2026-05-19T08:10:31.000-07:00
diff --git a/.github/workflows/npm-publish.yml b/.github/workflows/npm-publish.yml
@@ -36,5 +36,9 @@ jobs:
           ref: ${{ inputs.ref }}
       - name: Install Node and dependencies
         uses: mongodb-labs/drivers-github-tools/node/setup@v3
-      - run: npm version "${{ inputs.version }}" --git-tag-version=false --allow-same-version
-      - run: npm publish --provenance --tag="${{ inputs.tag }}"
+      - run: npm version "$VERSION" --git-tag-version=false --allow-same-version
+        env:
+          VERSION: ${{ inputs.version }}
+      - run: npm publish --provenance --tag="$TAG"
+        env:
+          TAG: ${{ inputs.tag }}
diff --git a/.github/workflows/release-6.8.yml b/.github/workflows/release-6.8.yml
diff --git a/.github/workflows/release-alpha.yml b/.github/workflows/release-alpha.yml
@@ -9,7 +9,8 @@ on:
         type: string
 
 permissions:
-  id-token: write
+  actions: write
+  contents: read
 
 name: release-alpha
 
@@ -18,17 +19,22 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - shell: bash
+        env:
+          ALPHA_VERSION: ${{ inputs.alphaVersion }}
         run: |
           ALPHA_SEMVER_REGEXP="-alpha(\.([0-9]|[1-9][0-9]+))?$"
 
-          if ! [[ "${{ inputs.alphaVersion }}" =~ $ALPHA_SEMVER_REGEXP ]]; then
+          if ! [[ "$ALPHA_VERSION" =~ $ALPHA_SEMVER_REGEXP ]]; then
             echo "Invalid alphaVersion string"
             exit 1
           fi
       - uses: actions/checkout@v5
-      - name: Install Node and dependencies
-        uses: mongodb-labs/drivers-github-tools/node/setup@v3
-      - run: npm version "${{ inputs.alphaVersion }}" --git-tag-version=false
-      - run: npm publish --provenance --tag=alpha
+      - name: Dispatch npm-publish workflow
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
+          ALPHA_VERSION: ${{ inputs.alphaVersion }}
+        run: |
+          node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \
+            tag=alpha \
+            version="$ALPHA_VERSION" \
+            ref="${{ github.sha }}"
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,7 +6,6 @@ on:
 permissions:
   contents: write
   pull-requests: write
-  id-token: write
 
 name: release-latest
 
@@ -91,15 +90,20 @@ jobs:
 
   publish:
     needs: [release_please, ssdlc, build]
+    permissions:
+      actions: write
+      contents: read
     environment: release
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v5
 
-      - name: Install Node and dependencies
-        uses: mongodb-labs/drivers-github-tools/node/setup@v3
-
-      - run: npm publish --provenance --tag=latest
+      - name: Dispatch npm-publish workflow
         if: ${{ needs.release_please.outputs.release_created }}
         env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          node ./.github/scripts/dispatch-and-wait.mjs npm-publish.yml \
+            tag=latest \
+            version="$(node -p "require('./package.json').version")" \
+            ref="${{ github.sha }}"
