fix: use OIDC trusted publishing instead of npm token for releases (#1031)

Remove registry-url from setup-node so the repo .npmrc is preserved,
enabling OIDC authentication for npm publishing. Remove NODE_AUTH_TOKEN
and the NPM_TOKEN secret dependency.

Also align the release workflow with the Typist reference implementation:
use package-published output from semantic-release instead of tag-diff
detection, add node_modules caching, explicit build step, and consistent
step naming.

Author: rfgamaral

.github/workflows/publish-package-release.yml

@@ -0,0 +1,110 @@
+name: Package Release
+
+on:
+    push:
+        branches:
+            - main
+
+env:
+    GH_PACKAGES_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}
+
+permissions:
+    # Enable the use of OIDC for trusted publishing and npm provenance
+    id-token: write
+    # Enable the use of GitHub Packages registry
+    packages: write
+    # Enable `semantic-release` to publish a GitHub release and push commits
+    contents: write
+    # Enable `semantic-release` to post comments on issues
+    issues: write
+    # Enable `semantic-release` to post comments on pull requests
+    pull-requests: write
+
+# The release workflow involves many crucial steps that once triggered shouldn't be cancelled until
+# finished, otherwise we might end up in an inconsistent state (e.g., published to GitHub Packages
+# but not npm), so new workflow runs are queued until the previous one has completely finished.
+concurrency:
+    group: ${{ github.workflow }}
+    cancel-in-progress: false
+
+jobs:
+    release-and-publish:
+        name: Release & Publish
+        runs-on: ubuntu-latest
+        timeout-minutes: 30
+
+        steps:
+            - name: Generate release bot token
+              id: release-bot
+              uses: actions/create-github-app-token@v3
+              with:
+                  app-id: ${{ secrets.DOIST_RELEASE_BOT_ID }}
+                  private-key: ${{ secrets.DOIST_RELEASE_BOT_PRIVATE_KEY }}
+                  permission-contents: write
+                  permission-issues: write
+                  permission-pull-requests: write
+
+            - name: Checkout repository
+              uses: actions/checkout@v6
+              with:
+                  token: ${{ steps.release-bot.outputs.token }}
+                  fetch-depth: 0
+
+            - name: Prepare Node.js environment
+              uses: actions/setup-node@v6
+              with:
+                  cache: npm
+                  node-version-file: .node-version
+
+            - name: Cache project 'node_modules' directory
+              id: node-modules-cache
+              uses: actions/cache@v5
+              with:
+                  key: node-modules-cache-${{ hashFiles('**/package-lock.json', '**/.node-version', 'patches/**') }}
+                  path: node_modules/
+
+            - name: Install project npm dependencies
+              if: ${{ steps.node-modules-cache.outputs.cache-hit != 'true' }}
+              run: |
+                  npm ci
+
+            - name: Build package
+              run: |
+                  npm run build
+
+            # The Node.js environment is prepared based on the `.npmrc` file in the repo, which
+            # configures Doist scoped packages to use the public npm registry with OIDC
+            # authentication for the initial `semantic-release` publish, after which we remove the
+            # Doist registry configuration, and prepare the Node.js environment for the GitHub
+            # Packages registry, providing a predictable release workflow for both registries.
+            - name: Publish package to public npm registry
+              id: semantic-release
+              run: |
+                  npx semantic-release
+              env:
+                  GITHUB_TOKEN: ${{ steps.release-bot.outputs.token }}
+                  GIT_AUTHOR_EMAIL: doistbot@users.noreply.github.com
+                  GIT_AUTHOR_NAME: Doist Bot
+                  GIT_COMMITTER_EMAIL: doistbot@users.noreply.github.com
+                  GIT_COMMITTER_NAME: Doist Bot
+
+            - name: Remove Doist registry configuration from `.npmrc`
+              if: ${{ steps.semantic-release.outputs.package-published == 'true' }}
+              run: |
+                  npm config delete @doist:registry --location=project
+
+            - name: Prepare Node.js environment for GitHub Packages registry
+              if: ${{ steps.semantic-release.outputs.package-published == 'true' }}
+              uses: actions/setup-node@v6
+              with:
+                  cache: npm
+                  node-version-file: .node-version
+                  registry-url: https://npm.pkg.github.com/
+                  scope: '@doist'
+
+            - name: Publish package to private GitHub Packages registry
+              if: ${{ steps.semantic-release.outputs.package-published == 'true' }}
+              run: |
+                  npm publish
+              env:
+                  NODE_AUTH_TOKEN: ${{ secrets.GH_PACKAGES_TOKEN }}

.github/workflows/release.yml

@@ -22,8 +22,7 @@
         "**/*.css"
     ],
     "publishConfig": {
-        "access": "public",
-        "provenance": true
+        "access": "public"
     },
     "files": [
         "CHANGELOG.md",
@@ -55,8 +54,7 @@
         "lint": "eslint --format codeframe --cache --ext js,jsx,ts,tsx ./",
         "storybook": "start-storybook -p 6006",
         "prettify": "prettier --write \"./**/*.{js,jsx,ts,tsx,json,css,scss,less,md,mdx}\"",
-        "plop": "plop",
-        "prepublishOnly": "npm run build && npm test"
+        "plop": "plop"
     },
     "peerDependencies": {
         "@ariakit/react": "~0.4.19",

package.json

@@ -17,5 +17,14 @@ export default {
             },
         ],
         '@semantic-release/github',
+        [
+            '@semantic-release/exec',
+            {
+                verifyConditionsCmd:
+                    'if [ -n "$GITHUB_OUTPUT" ]; then echo "package-published=false" >> "$GITHUB_OUTPUT"; fi',
+                successCmd:
+                    'if [ -n "$GITHUB_OUTPUT" ]; then echo "package-published=true" >> "$GITHUB_OUTPUT"; fi',
+            },
+        ],
     ],
 }